I think folks have every reasonable cause to question the general competence of IT persons who design authentication systems that mandate an exact password length, or a maximum password length (say, 10 characters max), or passwords which must not contain certain characters, or lock your account out after three (why three?) attempts.
Also cute – government online service providers that ask you to fill out a “forgotten password phrase” when you set up your account initially. How are mere mortals supposed to remember the phrase two years down the track without writing it down or reusing it? And how is this supposed to be more secure than your basic security questions?