I was quite interested in this as I had run into a similar problem myself on a couple of websites. I use a (personally generated) unique password for each site. On these particular sites the front page login area allow you to type a shorter (or in one case longer) password than is accepted on a separate login page on the same site. Hence if I arrive at the one page and use my password it states ‘wrong password’ and throws me to the ‘other’ (try again) login page, where exactly the same password is accepted. It took me quite a while to to realise that different web pages on the same site were implementing different password length checks & actually truncating my password). Of course, just as in your example, those rules were not declared either on the web page or in any error message.