I had to call customer service recently regarding my 401(k) and robo call in the beginning asked me to enter my social security number using the keypad followed by a # and then asked for my account password using the keypad followed by # where special characters are *.
If the passwords are stored as hashes in their database, how is it possible that they can compare your input and verify it matches the password stored?
Punched in through a keypad, Hunter21 becomes 48683721 which would be indistinguishable from gtmtd7b1. It does not seem reasonable to compare all possible combinations of 48683721 to the hash because when including special characters and capitalization, it becomes more complex.
My only thought would be that they are storing my password as plaintext and comparing my keypad entered value to it and that would be concerning. I suppose when I first create the password they could convert it to the keypad equivalent number and hash/store that.
Is this common practice?