[obituary_latte]

Had this happen with a credit card company. Registered for online access, generated pass with 1password, no errors, "Very strong" indicator, save (again, no errors) and was locked out.

Was a lot of fun talking to the customer service rep who insisted I needed to be using IE. That I had to register. That I "must be doing something wrong". That I am not typing in the correct password. That I'm not technically capable.

Turned out to be a length restriction. It just cut off the last n characters of the password I chose. Good times.

[nollidge]

Yes! My bank did something like this - they kept rejecting my password as too long without telling me how long it was supposed to be!!

Turns out it was ten. Ten characters protecting my sensitive personal banking information. Upon e-mailing, they said they're going to be bumping it to 20.

[fooqux]

My developer environment at work has a password that is synced across multiple services.

Ran into a problem a few months ago where I changed my password successfully on the front-end, but one-or-many backend syncing operations mangled the new password by dropping the last n characters on the floor. So when I logged into the front end, it would look like everything was fine until I tried to perform some kind of operation. At which point it promptly threw up all over itself.

Left me in a completely non-working state for a few days. Didn't help that I'm basically the only admin for said system.

[sirclueless]

Non-responsive superiors are a great excuse in business. Stuff can get "stuck" for quite a while if you have enough bureaucratic obfuscation to justify it. When the buck starts and stops in the same place you have nowhere to turn.

[janerik]

At my bank I'm restricted to a 5 character password. When asked if they think that would be secure enough I was told that an attacker would also need the login name and that should be kept secret as well (default login name is account number or FirstnameLastname and I doubt many users will change that)