[jamieomatthews]

Can anyone explain why this is? I've never heard a security reason for this.

[ShaneWilton]

On some older keypad layouts, Q and Z aren't associated with a number. It could be some misguided attempt at backwards compatibility.

[cgtyoder]

Shit poor security? It almost sounds like they end up converting the stored password to digits, based on letters associated with numbers on a standard phone (originally 'Q' and 'Z' were omitted). I wonder if they consider 'ad4jmp' and '2ehkn7' different passwords. That would be an interesting test.

[30thElement]

While the other answers about Sabre are probably right, I've heard that banks intentionally have stupid password policies to prevent password reuse. If one bank says "no special characters but most contain a number", another says "must contain a special character, but no numbers", and a 3rd says "must contain a number and special character", they can guarantee that if one of the 3 is hacked into it doesn't compromise people with accounts at all 3 (of course ignoring people using "password" with a 1 or ! on the end).

[frogpelt]

This would require cooperation.

[eudox]

Guess 1: They append either one of those characters to the password to store some form of information.

Guess 2: The characters are column separators in some form of data store.

[jdonahue]

Marketing? A sane password policy doesn't get you to #2 on HN.