One thing which has surprised me considerably (though it's hardly news) is the number of Web sites dealing with healthcare and financial information that have weirdly simple password rules. Some have eight or twelve character limits. Many will not allow any non alphanumeric characters, so the user cannot include characters such as *, &, _, !, and so forth. Which in turns means the passwords are much more easily hacked. Some are not case sensitive.
It's a very weird mishmash of standards which will make any coder, or anyone with even a passing understanding of security, cringe.
I really don't get this.