Re: Santander must also not be hashing passwords
Santander 'upgraded' (NOT!) their security. Old Santander accounts require customer ID, full passcode and full registration number. Accounts opened in the last couple of years required customer ID and three random characters from the passcode and three random characters from the registration number.
So they must be storing them using reversible encryption. and to make it look like they beefed up security they just changed the front end. No changes have gone into the way the data is stored.
What do customers do when presented with three random character shite? They chose simpler passwords don't they? No point in trying to use a 20-character random generated one when they pull this crap on you.
I don't use the Santander mobile app so can't speak for that one.
The Tesco's one is worse. The three random characters required by Santander are in fields named in the HTML as x1, x2, x3 and the three characters random are annoyingly not in order either. The Tesco's site asks for the username (not email address), full password (good) but the three random characters of the security number are presented and named as x1, x2, x3, x4, x5, x6 with the three you don't have to enter greyed out.