>>Speaking of which... I'm by no means a security expert, but I know more than most people I know, but one thing which has been bugging me of late:
'Please enter the 3rd, 5th and 8th letters of your password [ _ ] [ _ ] [ _ ]'
I see this on some banking websites. Surely, if you can enter a selection of characters and have them validated against your password, that means the password can't be salted and hashed?
It implies symmetrical encryption. So the password in the database will be encrypted (I would hope!) but much like you keep a salt for your hashes, you keep a key for encryption/decryption. In either case, an attacker would need not only the records themselves but also the accompanying salt or key, respectively. However, this can happen and with a hash, they're essentially guessing at passwords and seeing if they match the hash, whereas with encryption they can actually reverse it, so yes - all else being equal the encryption method is less secure. (Caveat for completeness, using something like BCrypt takes longer than using say MD5 for hashes which slows down the speed at which one can match possible passwords against the hash / encrypted form).
Either that, or HSBC has decided to hash each letter of your password individually for extra security. ;) :D