Insecure Security

Chase Bank has decided to throw all common sense out the window with their username and password policy. Let's start with their username policy:

• Must contain 8-32 characters
• Must contain at least one letter and one number
• Cannot include special characters (&, %, *, etc.)
• Cannot be the same as your Password

OK. What do we have here? Let's throw out any usernames the customer may have used at other sites and make them come up with a new one. This won't increase forgotten passwords at all. This is within the realm of sanity, until they impose their password policy, which is the same as the username policy with the additional requirement that it can't match the previous 5 passwords. In other words, the passwords cannot contain any symbols. Why would they make such a requirement!? Can they not write some simple unit tests to verify their handling of punctuation?