I have the impression it has to do with an extra ( hidden?) character that is save after the userid or after the password :
example: an extra CRLF or hidden character that is saved during the update of the restrict login
or during the input of the URL .
Will try to catch the reason via wireshark analysis