What's disgraceful are the sites that don't allow passwords to be set up from any Unicode characters of any length. Worse still the ones that allow you to set a password but then only log in with the DB clipped 15 characters of it. Particularly bothersome has been BBC ID and UK GOV, where passwords have to be downgraded to work through mobile authentication. I keep notes on the rejected characters and weird rules for the various sites. I'm also developing a new system with proper client and server-side salted hashing and SSL/TLS.