I'm not sure I understand what the point you're trying to make is. In a hypothetical (but unlikely) world where they <really> did need my password to manage my account, this would be a poor practice to have and it should have some kind of other verification, even if it was character [x] and [y] of my password. The same applies if they don't need it really...this doesn't seem a good idea regardless.
That specific solution doesn't work. If they have access with just characters x and y of your password, then they (as good as) have your password, and access to your account.
Well, yes, but it's expected and somewhat necessary that administrators (that is, people with some kind of administrative responsibility) of online services have access to your account.
So you do not trust them with your password (that you're going to change later anyway), but you do trust them with unpassworded access to your account?
All I'm saying is that you have to have that trust, it's always going to be the basis of how customer support works in businesses like this. Requiring that you give out your password to a person is not acceptable.
Now, having seen some of the alternative systems suggested, I think I agree.
I instinctively do not want to give my password to anyone. And that's a great habit to get into, and we want regular people to get into that habit. That would make phishing less useful.
In this case it seems they're trying really hard to protect your domain from harm. But yes, I've been mostly persuaded.
