Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.
I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)
Is there any secure way that this could be happening? Or are the companies storing my password in plain text?
Unless they hash and store various combinations of characters in addition to, or instead of, the whole password. I haven’t heard of anyone doing this. If you were to pad them with a unique salt and a pepper before hashing each combination, you could end up with something more secure than just hashing the whole password. But hashing the whole password, if done properly, is already secure enough so this would seem like needless complication unless there’s some unusual concern about the password being intercepted in transit, and in that case you’d have other problems anyway.
I have heard of this thing of asking for selected characters of a static second authentication factor (e.g. a PIN), but not of a password itself. And now that we have proper 2FA systems I haven’t seen anything like that in a while.
It’ll be less secure.
If they hash a subset, then those extra characters are literally irrelevant, since the hash algorithm will exclude them. Like if they just hashed the first 5 characters, then “passw” is the same as “password” and all those permutations. Hashing is safe because it’s one-way, but simple testing on the hashing algorithm would reveal certain characters don’t matter.
Protecting a smaller subset of characters in addition to the whole password is slightly better but still awful. Cracking the smaller subset will be significantly easier using rainbow tables, and literally gives a hint for the whole password, making a rainbow table attack significantly more efficient. Protecting the whole thing (with no easy hints) is way more secure.
It also adds nothing to keylogging, since it’s not even a new code, it’s part of the password.
There was a time where that level of security was acceptable, and it still could be ok on a closed system like an ATM, as the other reply to my comment pointed out, but this kind of protection on a standard computer is outdated and adds holes.