If a provider sees the last 4 characters of my password, can they see it in full?
There's several possibilities.
They could be storing the full password in plaintext, and only displaying the last 4 characters to the support person.
They could be hashing the password twice. Once hashing the full password, and again with just the last 4. Then the support person types in the last 4 to see if it matches the hashed value. The problem with this is that it makes it easier to brute force the full password since the last 4 characters are in a separate hash, reducing entropy.
They could be hashing the full password, and storing the last 4 in plaintext. Obviously this makes it much easier to brute force the password if an attacker gaining access to the password database knows the last 4 digits.
Something else where the last 4 characters are stored in some way that's discover able, such as encryption that Mike Scott mentions below. If the secret to unlock the 4 characters can be discovered, this is as bad as plaintext.
All scenarios are very bad, and greatly reduce the security of the system. It's not possible to know which scenario they're using, but each of them shows a lack of consideration for security breaches. I'd advise caution if this is a site where you care about your account being breached.
It is always hard to answer such questions since we are not in Bluehost's secrets, so we can only guess and make suppositions.
However, the behavior you describe remains possible without storing any clear form password:
- When you create a new account or reset your password, the password is sent to the server, most likely in clear form protected by TLS,
- The server will then generate two different hashes for the same password:
- The first hash takes your full password and is used for usual authentication,
- The second hash takes only your password's four last characters,
- When you contact their support team, you tell them your last four characters, they type them on their software, then their software will internally calculate a hash, check it and display the result to the support technician.
BlueHost advises reasonable rules for strong passwords, so they probably employ at least one person who knows what he's doing.
Assuming such, BlueHost may be using an implementation of Shamir's Secret Sharing or a variation on that theme. Shamir's is theoretically secure, so I wouldn't immediately jump to the conclusion (as other answers have) that any scheme doing this is inherently less secure.
On the other hand, implementing Shamir's is non-trivial, so any of the other answers could equally apply. Since security is ultimately about trust, if you feel insecure with this scheme, I suggest you find another provider!