[_delirium]

A not-very-great but traditional way to avoid some kinds of security holes is to sanitize your input by blacklisting anything that could be a shell/scripting/SQL metacharacter. Seems restrictions like that are still pretty common, either because it's actually still needed for security (alarming if true at BoA), or because it's now a sort of cargo-cult thing.

[landr0id]

That's what I had assumed, and I recently started web development so I'm not very educated on some of this stuff, but it seems to me like that could easily be avoided if things are done right. It's a banking site though, so I guess any extra protection to protect those users is good.

[lowe]

sounds about right. screenshot of BofA's policy here: http://dl.dropbox.com/u/209/bofa_password_constraints.png

the forbidden list is: $ < > ^ ! [ ]

[hbhanu]

Huh, thanks! I suspected it was a security thing, but I've seen some sites where other non-alphaneumeric characters were disallowed as well. :/ At least this makes some sense.