My favorite is when systems will stealth truncate your password without telling you, but only when setting it. For some reason I often encounter this with systems truncating to 20 characters.

• Set 24 character password: no error (secretly truncated to 20 characters).
• Try to log in: credentials invalid (it checks the full 24 character one against the 20 character one).
• Go to reset to what it should be, password can’t be the same (again, stealth truncating to 20 characters).