Re: Dunce Cap tip
Yes and no. It's security 101 to not store passwords in plain text on a server. Using salted hashes is just one technique to do so. You can be pretty confident they're not storing them in plain text. PCI DSS is clear (hah) on the issue: "Render all passwords unreadable during transmission and storage on all system components using strong cryptography"
However you can also be pretty confident they're not hashing them - these systems are old and would have balked at the space constraints implied by hashing + salting all the partial password combinations. They could but probably don't use a secret sharing scheme to test if the subcomponents of the password provided match the password.
What they're probably doing is just encrypting the password. Which protects against most but not all of the same things as hashing. They're hopefully doing it in an HSM, which provides pretty robust physical protections against the password ever being retrieved.
So, you know, don't re-use your banking passwords.
Biting the hand that feeds IT
