[nollidge]

Yes! My bank did something like this - they kept rejecting my password as too long without telling me how long it was supposed to be!!

Turns out it was ten. Ten characters protecting my sensitive personal banking information. Upon e-mailing, they said they're going to be bumping it to 20.

[fooqux]

My developer environment at work has a password that is synced across multiple services.

Ran into a problem a few months ago where I changed my password successfully on the front-end, but one-or-many backend syncing operations mangled the new password by dropping the last n characters on the floor. So when I logged into the front end, it would look like everything was fine until I tried to perform some kind of operation. At which point it promptly threw up all over itself.

Left me in a completely non-working state for a few days. Didn't help that I'm basically the only admin for said system.

[sirclueless]

Non-responsive superiors are a great excuse in business. Stuff can get "stuck" for quite a while if you have enough bureaucratic obfuscation to justify it. When the buck starts and stops in the same place you have nowhere to turn.

[janerik]

At my bank I'm restricted to a 5 character password. When asked if they think that would be secure enough I was told that an attacker would also need the login name and that should be kept secret as well (default login name is account number or FirstnameLastname and I doubt many users will change that)