Re: Santander must also not be hashing passwords
Santander's login differs depending on which bank they took over that you used to be with. I locked myself out once due to their telephone banking system asking me for a field I don't have on my account.
The customer ID length being "unknown" would be very weak security by obscurity.
Storing hashes of each 3-character combination of your password (along with the necessary indexes of the characters) is pointless - it vastly reduces the attack space to brute force your password. Once you've got the first three characters, attacking another hash that re-uses 2 of your now-known characters is simple, and so on.