This still smells though. Why is the raw, plain text password string getting anywhere near database queries in the first place?

Prepared statements, mostly. You define the query using variables, turn that query into a language-dependent object, assign values to those variables, then execute the statement. The values will be passed verbatim, without any parsing.

Or, since we're talking about a password, you could encode or encrypt it before inserting it into the query string. The fact that the website could be negatively affected by phrases in the cleartext password is very concerning.

I noticed that upper case select, drop etc are not prohibited.

Poorly implemented user input filters are not a valid solution to being vulnerable to injection.

Good old Bobby Tables

No one in their right mind is storing plain text passwords, or letting them anywhere near the database.

You convert the password to a hash, and store that. And the hash will look nothing like the password the user typed.

If they're trying to protect themselves from code injection by rejecting certain user input like that, then they don't actually know how to protect themselves from code injection correctly and there may be serious vulnerabilities that they've missed.

(I think it's likely that, as others have said, they're using off-the-shelf software that does properly sanitize user input, and that this is just the unnecessary result of management making ridiculous demands. Even then, it's evidence of an organization that doesn't have the right approach to security.)

Sanitization has nothing to do with salting and hashing.

If there is no overwrought prohibition of something I know that at least in America that means it’s

1. Affirmatively legal and
2. Legislatively encouraged by the FREEE Act

So give ’em hell!

My tactic is use a memorizeable passphrase as the unlock for the vault and assorted gibberish for anything in the vault

Yeah, a bunch of asterisks works too.

For maximum security your password manager should have a password and you have no choice but to remember that password.

Eh it's still pretty hard.

If we check the numbers of English words from https://www.merriam-webster.com/help/faq-how-many-english-words and take a conservative estimate of 400 000 at the bottom of the page.

That means with the exact format of (word)(number)- 4 times has (without repeating words) 400000*9*399999*9*399998*9*399997*9 = 167957820891293697014400000 combinations. https://www.wolframalpha.com/input?i=400000939999893999979399996*9

The fastest super computer at the moment apparently sits at 1.1 quintillion Hz. Or 1.1 billion billion.

If that computer could make 1 guess every clock cycle it would still take it over 4 years (167957820891293697014400000 / 1.1quintillion = ~52 months ) to run through all possibilities.

Now that is a very fast computer, and we haven't included the possibility of various numbers of words, different delimiter, or where and how often numbers appear. So unless you've really pissed off the US gov I don't think you have to worry about it.

There's a reason passphrases are the currently recommended way to generate secure passwords that are hard to guess but easy to memorize/type in.