My programming team wrote an intranet which interfaced with a legacy accounting system. Basically, we were writing a pretty ASP.NET front end to protect users from having to interface with the terminal system.
In any case, one of our testers noticed that our login code accepted any password, so long as the first 8 characters were correct. A tester created a user with the password "Password", but the application would validate "Password1", "PasswordMonkey", "PasswordFakeFakeFakehahahah". So, our tester logged this as a defect. Some investigation revealed that the legacy system stored passwords in fixed-width, 8 char field, and it just quietly truncates queries to 8 characters. A quick test indicated that this bug existed in the accounting system as well and simply went unnoticed for 20 years.
We were unable to modify the legacy application as it was maintained by a third-party vendor, so I wrote a quick if (password.Length > 8) { return false; }
on our end -- after all, a password more than 8 chars can't possibly be correct. Bug fixed, QA signs off.
So, when our application goes into production, we get an "URGENT!! USER'S CAN'T LOG IN TO THEIR ACCOUNTS!!!"-type message from the president of one of our customers. It turns out that state law or company policy required all passwords to be at least 12 characters long, and none of the users were able to use our product after the fix.
We explained that the accounting system simply doesn't store anything beyond 8 characters, and that everything will be peachy if users just type the first 8 characters. "UNACCEPTABLE!" Ok, then we can put a maxlength on the textbox, limiting the input to just the valid range of characters. "IMBECILES! IT WORKED JUST FINE BEFORE, NOW FIX IT!" Our customer got into a shouting match with the president of my company, threatening the change vendors if we didn't fix application.
So, I "fixed" the application commenting out the sanity check and reintroduced the bug. Its not an unreasonable request to have authentication code in the ASP.NET front-end authenticate the same as the terminal backend, but its really disconcerting to purposefully re-bug an application.