I guess anyone can just hack a password in like 1 second on a phone or something?
I promptly updated my direct deposit with my employer and used my more secure off-island bank as the destination for the majority of my pay, and had only the minimum required to avoid fees and act as spending money put in that acct.
So people could type in different gobbledegook each time between the characters that matter.
To further defeat keyloggers, shoulder snoopers etc., let each valid character be an option from a set of two or more characters.
So, if my password is: Any 8 characters, but 2nd character must be A/B/C/x/y/z, and the 6th must be !/@/# then I could type:
How more secure would something like that* generally be compared to static passwords?
* (Of course this is a simplified example for illustration. In practice you'd use more characters/options.)
It's not secure at all. If someone knows the rules of the system, the entropy on that is tiny, because it's basically a 2 letter password with only 6/3 options.
The only security would be from the obscurity of the attacker not knowing the password rules.
That was obviously an oversimplified example to explain the rules.
In practice you could make it as obscure as you want, while keeping it easy for you to remember.
Like the sentences I just typed here. No limit on the number of characters. I could enter different long sentences each time, as long as the characters at specific positions match certain sets.
You're not getting anywhere, because people trying to guess your password don't have to guess your scheme. All you're doing is making it easier for them. There is no sense in which you are making it harder.
In the optimum case, you'd require them to get the right characters in the slots you're counting, but to not use the wrong characters in the slots you're not counting, thus demonstrating that they actually know the scheme in question and aren't just getting lucky. There would be exactly one character you'd accept in the slot you're counting, and there would be exactly one character they could use to indicate they understand your pattern in the slots you're not counting. This maximizes the chance they have proved to be in possession of your password, rather than just getting lucky because you didn't count their misses. This is, of course, simply using a password normally.
If only that made it as secure as you want.
Now, if the rules were totally secret, you could make it such that each time you used a password, it was no longer valid. That would defeat the keylogger, while still allowing you to remember your 3 special characters. But of course you can't ever assume your rules are secret (security by obscurity and all that).
A bank I use does something like this. On account creation you give it a long key string and on subsequent log-in it asks for three different characters (e.g. the 4th, 3rd and 9th characters) from the string.