I had a call with a member of the Plusnet customer service team today who asked for two specific characters from my password to confirm who I was. 

Password storage best practice is to hash user's passwords before storage so they can't be determined from the database record.

How were the characters from my password confirmed? Are user passwords only encrypted on the database? If so, why?

Cheers