I have run across several financial sites where passwords of any length are accepted but only the first 8 characters are significant. In fact I recall many years ago one site was quite open in suggesting you use some phrase of length n but only the first m characters would be significant. That goes back to password rules the site established many years ago when 8 character passwords were the standard and has remained unchanged to avoid requiring many thousands of established customers to change their password.
If we knew what it was we were doing, it wouldn't be called research, would it?
