Hopefully the bank stores a separate hash for each mask, generated at the time of password creation. Otherwise, it’s hard for me to imagine how this would be possible without saving the password in clear text.
If someone steals a hash for characters 1-4 they'll be able to brute force it. Only 10000x the cost of a single login. And then if you have the hash for characters 2-5...
