[Forge36]

One of my favorite DEFCON presentations addressed this

https://youtu.be/fhUHVGTa8mQ

In summary: there are a lot of third party products for interacting with banking data. Different versions between those products still in use. The need to enforce security based on the product/interface with the worst usability (ie: most restrictive set of functionality or most bugs to work around)

The talk specifically talks about Open Financial Exchange (OFX) as one of these legacy pieces.

Can't be pasted has changed more recently to my knowledge Can't be long is due to some OFX protocols limiting password transmission length (and sharing passwords between services in plain text!) Special characters are disallowed because some of those characters were control characters for the communication markup.