This kind of thing drives me crazy. Why not allow special characters? The only conceivable reason is so that your app doesn't get SQL-injected or otherwise hijacked -- which is why God invented the character escape.
Limiting the number of chars as a security measure? I'd make fun of this but it's just too easy and stupid.
Don't know for sure, but I have a persistent suspicion that some people are passing unencoded passwords as shell arguments. It's the only explanation I can come up with.
Not that that makes it acceptable, of course -- or even any less astonishing.
