Basic cyber security says that passwords should be encrypted and hashed, so that even the company storing them doesn’t know what the password is. (When you log in, the site performs the same encrypting and hashing steps and compares the results) Otherwise if they are hacked, the attackers get access to all the passwords.
I’ve noticed a few companies ask for specific characters of my password to prove who I am (eg enter the 2nd and 9th character)
Is there any secure way that this could be happening? Or are the companies storing my password in plain text?
One of the main differences between hashing and encrypting is that encryption is réversible by some means, while hashing isn’t. The irreversibility is what makes it so ideal for storing a password in a way that definitely can’t be used to get the original password back, even if someone steals the whole database with the passwords in it.
Those companies that ask for specific characters might be encrypting the passwords, but they definitely aren’t hashing them.