Re: Actual e-mail received from Talk Talk
"Send you emails asking you to provide your full password. We will only ever ask for two digits from it to protect your security."
Which implies totally insecure practice of storing password in plain text or at best encrypted but can be easily decrypted internally (and so is not really much better than plaintext).
Not that hashed passwords are safe, but at least more effort is required (and if using salts can be quite secure, esp if salts stored elsewhere so a theft of user "credentials" data needs breach of 2 systems)