I just called my mobile phone provider and they asked me to verify myself by telling them my mobile phone number and the first three characters of the password of my online account.
Now I'm wondering if this is a secure way to verify users on the phone.
The first thing that came to my mind was that they need to verify these characters on the server side, which wouldn't work with hashed passwords afaik.
So either they store raw passwords (which I really hope they don't) or they also create a hash of the first three characters of the password and store that alongside the password hash.
I think it's clear that the first option isn't secure, but is the second? I'd say that it's defnately not secure when using non-salted hashes, but is it when using salted hashes?