Fidelity asks for login password via telephone keypad
When I called Fidelity they asked me to type my login password on the phone keypad so they can verify my identity.
At first I thought it was a little weird, but then I began to wonder how that would work. Each number of the keypad can have up to 3 characters, so how do they verify my password? Are they keeping passwords in plain text? Or are they converting passwords to numbers and store that in addition to hashed password? Anyone have any insight? They're keeping a hash of the case-insensitive password, and they're throttling the number of tries from the phone system