The worst I've seen have uncommunicated password length maximums—but don't error when you exceed them. Instead, they just truncate your password, but only on creation. When authenticating, they don't truncate, so your password you just made with a password manager is "wrong".
Spotify did/does this. Made canceling my free trial really tricky, because I needed to log in again to do so.
That one irks me too... When I built an auth/rbac app previously I did make Max length configurable and it would display a night if set. I set a hidden hard limit to 1k only to reduce attack surfaces that would only display and error if exceeded.
Default was a min-length of 15 as the only requirement with the default hint of "try using a short sentence"
I also had optional use of zxcvbn and haveibeenpwned checks during new passphrase creation.
I really wanted to open source the application but couldn't get approval to do so.
It was a pretty nice little simple auth application that issued RSA signed JWT to configured applications. It was interested into a few internal apps as well as for clients that didn't have something like azure ad, okta, etc. where we wrote bridge apps for auth.
If I had my configuration doc, I'd probably recreate it exactly, but with a Rust backend with HTMX instead of C#+react.
The date store used SQLite as a KV store, with simple methods for access that allowed an exception later for the values. Also wrote support for PostgreSQL and MS-SQL so they could be used where available.
Spent a lot of time on same defaults, hashing and encryption along with required configuration options for a few clients.
Aside: more devs really need to better understand public/private key generation and usage... Like not using the same keys for different environments.
Even worse, when the password has an arbitrary length requirement of 20, but the site doesn't tell you and just cuts of any trailing characters exceeding the requirement during account creation.
You have no idea how long it took me to figure that one out.
Slightly easier to figure out but no less annoying is when the maxLength attributes on the password fields for the two forms (create account and login) are different.
Even worse, some will simply arbitrarily silently truncate the password. But not everywhere! The sign up page might silently truncate and then the actual login page might not.
What happened to me once is that a long-time password of mine got truncated as the website lowered it's maximum password length, and the login page didn't truncate, so my full correct password suddenly stopped working. The pain.
Several comments mention passwords getting silently truncated by input maxlength. FWIW my extension provides a visible warning when this occurs: https://underpassapp.com/StopTheMadness/
Are you referring to 'security questions' where the user must choose from a predetermined list? A predetermined list which is often questions whose answers may be know to close attackers (first school), not applicable to everyone (name of first pet), or anglocentrically blind to worldwide cultural diversity (mother's maiden name). I hate that so much.
Providing a list is fine as long as they let the user type their own question if they want to. I cannot trust the security of a single one of their crap questions if I were to answer them honestly. However, if they let me type my own question, I can absolutely guarantee it.
Even worse, there are some that restrict special characters, but don't tell you which!
Now you've got to go trial and error to find out which of the special characters in your password is not acceptable to that precious §("/$& website!