Not answering your question, but the most inane thing I've seen is sites that have a password character limit but then don't tell you, and only save the first X number of characters.

There probably is a special level of hell for UI UX sins.

This drives me insane. It especially bites everyone using a a manager to generate long random passwords.

Password fields that are too short cause a similar problem, where you ask "am i still typing? did it cut me off?"

We purposely made the fields huge to help with this on: https://www.dropbox.com/register

A not-very-great but traditional way to avoid some kinds of security holes is to sanitize your input by blacklisting anything that could be a shell/scripting/SQL metacharacter. Seems restrictions like that are still pretty common, either because it's actually still needed for security (alarming if true at BoA), or because it's now a sort of cargo-cult thing.

That's what I had assumed, and I recently started web development so I'm not very educated on some of this stuff, but it seems to me like that could easily be avoided if things are done right. It's a banking site though, so I guess any extra protection to protect those users is good.

sounds about right. screenshot of BofA's policy here: http://dl.dropbox.com/u/209/bofa_password_constraints.png

the forbidden list is: $ < > ^ ! [ ]

Huh, thanks! I suspected it was a security thing, but I've seen some sites where other non-alphaneumeric characters were disallowed as well. :/ At least this makes some sense.

The ampersand (& symbol) might make sense due to the following fact: a form is usually submitted as urlencoded:

     name=drostie&password=wining%20%26%20dining%20the%20suckas!&language=en-US

and they might be worried about some browsers not correctly URLencoding such a form field -- or else they're perhaps worried that their own URLecoding decoder will break.

The exclamation mark is weirder -- I can't think of a deep need to escape that symbol. The + symbol, maybe, since sometimes + in a URL is supposed to be used as a replacement for %20 as an encoding for a space, but not the ! symbol.

There's a system I used at work that actually stripped my password of some characters, but still allowed me to register. Couldn't figure out for the life of me why the password I just typed wasn't being recognized.

This may not be their reason, but I used to have a password with @ in it. Then I went to Germany and discovered the keyboards there didn't have @ on them. That was a fun time.

You can usually type some easy combination (here it's Ctrl+Alt+2 or AltGr+2) to get it. It's not like Germans don't write email addresses.

If you aren't German and can't log in, discovering such combos is a bit difficult. Once I figured it out, no problem.