Speaking of long passwords…
On one of the financial websites I use, the password rule is 8-12 characters and no punctuation allowed. I presume that’s to facilitate touch-tone access. But their account creation page and login page does not enforce that rule.
So of course I made a rather long password with a mess of odd characters and happily logged in. But one of their confirmation screens does enforce it, so I hit the three-tries-and-you’re-locked-out limit.
Two comments: 1) that password rule is stupid and dangerous, 2) inconsistency application of rules is a sign they have poor oversight of their code, and probably have much more serious security bugs lurking.