Comment by eep_social

In a similar vein, I remember encountering a site where the frontend enforced basic complexity requirements ala “use at least one number and one symbol” but the system would silently drop all non-alphanumerics when it saved (presumably in some kind of failed conversion on the way into the backend DB). So setting a password like “foo_bar4!” would become “foobar4” which was surprising. What blew my mind though was when I figured out the stripped password worked to log in, which was how I eventually figured out what was happening, escaped the reset flow, and generated a compliant password.