Re: Santander must also not be hashing passwords
My Santander online access is a userid (can be customised) and password, which then presents you with a screen giving you a piece of information you have previously supplied to them so you can be more sure they're not a fraud site (unless it's doing some passthrough stuff) and then asks for a full 5 digit pin number.
I presume (faint hope) the banks that ask for individual character combinations from passwords / keywords have a slightly restricted list of combinations which are hashed? If my password is 10 characters long, then there are 120 different ways to choose 3 characters - it doesn't seem unrealistic to think they might have that many hashes stored for me...
Clinging to hope here!
Biting the hand that feeds IT
