I tried running your example, with the exact same password (on a test account) and did not have any issues uploading my sample image. I even looked through a pcap to make sure the encoding is being done correctly.
-desktop:~/Dropbox$ curl -vv -F "username=********" -F "password=='hwsh[g" -F "message=test twitpic" -F media=@./code_Quality_Measurement_wtfm.jpg http://twitpic.com/api/uploadAndPost
* About to connect() to twitpic.com port 80 (#0)
* Trying 174.36.58.233... connected
* Connected to twitpic.com (174.36.58.233) port 80 (#0)
> POST /api/uploadAndPost HTTP/1.1
> User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> Host: twitpic.com
> Accept: */*
> Content-Length: 46066
> Expect: 100-continue
> Content-Type: multipart/form-data; boundary=----------------------------50b761e49108
>
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Server: nginx/0.6.35
< Date: Thu, 03 Dec 2009 19:06:38 GMT
< Content-Type: application/xml
< Connection: keep-alive
< X-Powered-By: PHP/5.2.9
< Content-Length: 196
<
<?xml version="1.0" encoding="UTF-8"?>
<rsp status="ok">
<statusid>6311967029</statusid>
<userid>**********</userid>
<mediaid>rzu6c</mediaid>
<mediaurl>http://twitpic.com/rzu6c</mediaurl>
* Connection #0 to host twitpic.com left intact
* Closing connection #0
</rsp>
what Shell are you using? depending on what "special" characters you use in your password, you may need to escape them differently to keep the shell from expanding/etc
any time you use double quotes in a command line, you have to deal with variable expansion, especially if your password contains a dollarsign ($). it may be better to use single quotes around the password field, and explicitely escape any single quotes in your password:
-F 'password==\'hwsh[g'