Silent truncation. This becomes worse when you realize that a companies web login vs mobile have different hard lengths, in this case it was mint.com. They allowed 16 online and 32 mobile, after letting them know they thankfully made it consistent at 32. Which isn’t perfect but it’s far better than most
I've encountered other weird bugs in mint too. On one site they wouldn't let me enter an email address as a username for a website which used your email as your username. Editing the DOM to remove that front-end validation worked, which was also disappointing, but at least it worked.
Oh! Related gripe - registration and login having different validation, removing it in the frontend 'fixing' it...
I've been able to supply my 'too long' password more than a few times that way, and it's transpired that actually it clearly was all stored on registration.
So on a whim I've tried it when registration's failed, and sure enough it's been stored, and then not validated on login.
It's so easy to do better, just don't do it in the frontend!
