[breadbox]

And as others have noted, this doesn't make sense given that passwords are case-sensitive and are required to include uppercase characters.

If there's a mechanism for specifying case on the phone, there can be a mechanism for specifying Q and Z unambiguously. I certainly have used VM systems that explicitly told me to "use 7 to represent Q and 9 to represent Z."

A contractual requirement is one possibility that could explain it, but my suspicion is rather that some legacy code in the system uses Q and Z as special escape characters or delimiters (because of their absence on the phone dial), and it's not worth the cost to try to fix the ancient code (or do all the testing necessary to be confident of deploying a workaround).

[dredmorbius]

Case-sensitivity is an interesting observation. It makes it 1) more likely that the passwords are being stored and that 2) there are multiple interfaces used: the Web front-end which can handle capitalization (something which can be unambiguously transformed) and a back-end SABRE system which likely cannot but a case-shifted password could still be passed to it.

As for your voicemail system, that merely gets around the issue of competing standards by enforcing its own. And the mapping has to be repeated to every user for every use of the system. I'd actually consider it an argument in favor of the keypad theory.

Escape codes (or testing codes) is another possible explanation. And legacy code cost is indeed often a consideration.