Re: Santander must also not be hashing passwords
Just a shame that they're so lax on the phone. Having had them transfer several thousand pound between my accounts without any security info at all on the phone, and having had them add extra security of which the extra has never in 10 years been asked for, if you were going to do something to them, you'd just phone.
But the rest is true, they use 3 inputs from me plus a visual validation of picture and phrase I set online (edit: although it appears this isn't always the case depending on account type and vintage)