[twistedpair]

This entropy loss is standard. Try calling the country's leading 401K provider or other banks, they'll ask for your password over the phone keypad.

Because of this, most people cannot have punctuation in the password (not on phone keypad), and aB2CaCb becomes 1111111. So much for 104 keys on the keyboard.

[ryanburk]

the fidelity case scared me years ago. amazed they still do that, but I can also imagine that they have a system that only allows the crazy phone mapping when validating over the phone an policy around that on how many times you can try, phone number you try from, etc to minimize brute force attacks to counter the loss of entropy.