Avaya (formerly Nortel) Unified Communications Manager (UCM)

This one you probably wouldn't find on the Internet, but it had a unique set of limitations so I decided to post it - this is a default password policy in an Avaya (formerly Nortel) Unified Communications Manager (which comes bundled with their enterprise switch and VoIP management platforms):

It's not the 8-characters, no-two-in-a-row, one-of-each, not-username, not-previously-used limitations (which I admit did make me raise my eyebrow - strictest restrictions I have come accross in a long time!) that caught my attention. Have a closer look at the permitted character set - for whatever reason the '#' (hash) character is not allowed. Beats me.

Rogers.com MyRogers Portal

Rogers is one of the leading cellular service providers in Canada (along with Bell and Telus). This pearl can be found on their MyRogers customer portal, where customers login to manage their mobile features, send text messages, pay bills and otherwise manipulate their account profiles:

Besides the fact that prohibiting the use of special characters limits the users choices when it comes to using one-way-hash password generators like PwdHash or PasswordMaker, it also reduces the overall password strength. Allowing just one special character to be used in a 16-character password, increases the number of possibilities by over 4×1031 thus increasing the time it would take to brute-force that password by over 900 times!

Fisheries and Oceans Canada (DFO)

This one was spotted in the Fisheries and Oceans Canada's Fishing Licence System:

Not the worst limitation to have, but allowing 13 characters can increase the time required to brute-force the password by at least 95 times, 14 character - 9,000 times and so on. You get the idea.