Very much like banks that are so "secure" that they insist on certain characters out of the extent of your password. In other words, they have the thing in plain text in order to compare individual characters.
They ask for a combination of several characters. Let's try this one for size:
- You enter a new password.
- The bank extracts combinations of N characters. Perhaps all possible combinations, perhaps a subset of a long password.
- Each combination is hashed and the hashes stored together with a note of the positions of the characters of that combination.
- When you log on the system chooses one particular combination, asks you for the relevant characters, hashes what you enter and compares the result to the stored hash.
Not only can this be achieved without storing plain text, the system doesn't even store your password as a single entity, not even when hashed.