alt Hacker NewsI remember a website that silently removed everything but the first 8 characters from the "password" field upon registration but somehow didn't do the same on the login page. It took me several hours and several password resets to actually log in after registration, since for some reason the trimming happened client-side and only when typing the password manually (and I was pasting my password from a password manager).
In a similar vein, I remember encountering a site where the frontend enforced basic complexity requirements ala “use at least one number and one symbol” but the system would silently drop all non-alphanumerics when it saved (presumably in some kind of failed conversion on the way into the backend DB). So setting a password like “foo_bar4!” would become “foobar4” which was surprising. What blew my mind though was when I figured out the stripped password worked to log in, which was how I eventually figured out what was happening, escaped the reset flow, and generated a compliant password.