It seems risky even if an attacker only had access to the final password hash, and not to the hash for every intermediate substring. In this ca the hacker could dictionary attack the hash while bypassing server side limits on failed password attempts.