My background is in web apps, so when storing a user's password we use a cryptographic hash and salt it so that it is not recoverable.
My basic understanding of what is happening is that to check if a password is correct, we perform the same hashing on the inputted password and check if the hashes are identical. At no point are the plain text passwords checked against each other, it simply isn't possible (and nor should it be!)
At no point would it be possible to ask a user to "enter characters 2, 3 and 9" from your password as the hashing algorithms users don't allow us to match substrings from the password. In fact, we couldn't even calculate the length of the password so asking for the 10th letter of a password might confuse the user since the password might only be 8 characters long.
Every online UK bank I've ever used (except Monzo) asks me for 3 characters from a password when I login.
My question is: How is this possible? Presumably it's one of two things:
- The bank stores the password in plain text, thus allowing the bank to ascertain both the length of the password and any substrings making this a trivial string comparison.
- They're using a hashing algorithm that I'm unaware of and would love to know more about.
I fear it's the former, but would love to know more if it's the latter.