Even if they do, acquiring both of these hashes vastly helps with brute-forcing: you first break the phone key password and then check only the alphanumeric passwords that match it against the alphanumeric password's hash.