At least they tell you what's allowed. My favorite is when I put in a password that's rejected with an ambiguous message. Or, even better, when my bank accepted my password but it actually didn't handle whatever punctuation was in it correctly, so that changing my password succeeded but I couldn't log in at all (I was using KeePass, so it wasn't typos).
Had this happen with a credit card company. Registered for online access, generated pass with 1password, no errors, "Very strong" indicator, save (again, no errors) and was locked out.
Was a lot of fun talking to the customer service rep who insisted I needed to be using IE. That I had to register. That I "must be doing something wrong". That I am not typing in the correct password. That I'm not technically capable.
Turned out to be a length restriction. It just cut off the last n characters of the password I chose. Good times.
Yes! My bank did something like this - they kept rejecting my password as too long without telling me how long it was supposed to be!!
Turns out it was ten. Ten characters protecting my sensitive personal banking information. Upon e-mailing, they said they're going to be bumping it to 20.
My developer environment at work has a password that is synced across multiple services.
Ran into a problem a few months ago where I changed my password successfully on the front-end, but one-or-many backend syncing operations mangled the new password by dropping the last n characters on the floor. So when I logged into the front end, it would look like everything was fine until I tried to perform some kind of operation. At which point it promptly threw up all over itself.
Left me in a completely non-working state for a few days. Didn't help that I'm basically the only admin for said system.
Non-responsive superiors are a great excuse in business. Stuff can get "stuck" for quite a while if you have enough bureaucratic obfuscation to justify it. When the buck starts and stops in the same place you have nowhere to turn.
At my bank I'm restricted to a 5 character password. When asked if they think that would be secure enough I was told that an attacker would also need the login name and that should be kept secret as well (default login name is account number or FirstnameLastname and I doubt many users will change that)
This happened to me on Mint.com. I use a password manger as well and I generated a 32 character password. It saved successfully, but once I'd log in, it'd kick me back letting me know that my password was incorrect. After about 15 minutes of confusion and multiple password resets, I figured out that passwords can only be 16 characters in length (or, that worked at least), and anything longer than that amount was just being ignored. There was no explanation about this at the time.
