“Substitute any special characters with an asterisk.”
twitter.comTook me several reads of this to figure out the context, but now I think I understand it.
I think this answers the question about how passwords at what seems to be a large financial firm are stored - after all, there's only one way to know which of the characters in the stored password are special...
There's a few different ways, if they need to say they store them hashed, maybe they are hashing a T9 version (at severely reduced entropy).