I was in Chicago with my family recently and purchased a one-day pass for the CTA. When I returned home I found you could create an online account connected to the card, ostensibly to be able to fill it up automatically, but also to track your ridership. I thought it would be interesting to see what kind of data a rider could get from the card.
I spent quite a bit of time trying to create an account only to receive a generic 50x error page each time. I tried disabling adblockers, completely unblocking javascript, disabling extensions, and nothing worked. I tried it in different browsers, and on different computers. I still received the 50x error. Then, on a whim, I tried using a different password. When that worked, I tried changing the password using 1-character-removed tweaks of the original. There was a single character that, it turns out, would cause the application to choke on passwords (I don't remember which character). Presumably it was an escape character or a semicolon.
It's not impossible for account systems to fail in unexpected ways, so there are probably more than a few (poorly-designed) websites which have seemingly arbitrary password requirements which are designed to avoid the kind of error I found above. Still, it would be better to fix the error in the webapp than to try to patch it by limiting the user input - that's an obvious security problem waiting to happen.
Last I knew, the T-Mobile registration form prevented typing the letter 'v' in the password field. It was a rookie programmer trying to prevent pasting.
I spent quite a bit of time trying to create an account only to receive a generic 50x error page each time. I tried disabling adblockers, completely unblocking javascript, disabling extensions, and nothing worked. I tried it in different browsers, and on different computers. I still received the 50x error. Then, on a whim, I tried using a different password. When that worked, I tried changing the password using 1-character-removed tweaks of the original. There was a single character that, it turns out, would cause the application to choke on passwords (I don't remember which character). Presumably it was an escape character or a semicolon.
It's not impossible for account systems to fail in unexpected ways, so there are probably more than a few (poorly-designed) websites which have seemingly arbitrary password requirements which are designed to avoid the kind of error I found above. Still, it would be better to fix the error in the webapp than to try to patch it by limiting the user input - that's an obvious security problem waiting to happen.