[Zancarius]

I'm guessing the solution would've then been to 1) disable the update event and 2) paste the ROT13'd password, either into the browser or into the input field value via the inspector.

Like you, whenever I run into sites that do weird things like that, I always find it hard to shake a bit of suspicion about how their backend is implemented (or not, depending on the case). For instance, when they start rejecting characters like "%" or "'" which have special meaning in SQL. I can't help but wonder if they're storing things in plain text.

I've run into at least two vendors I can think off the top of my head that limit what characters you can use for a password. That always makes me uneasy, and I don't buy anything from them on principle. Who knows what else they're doing that's not immediately obvious.