A year or so ago this was also the case with Facebook [0]. I believe it's a simple compromise between user experience and security. You can probably eliminate a large portion of user frustration this way. Before you instinctively respond with something like "but security should be the NUMBER ONE priority," realize that you're <i>always</i> making a compromise between user experience and security, and in fact, the two aren't even orthogonal. You could require users to purchase and use biometric scanners to authenticate, but that would likely be very frustrating. Or, you could require users to use a 50 character password with tons of entropy, but that would probably just lead to users leaving, or (perhaps worse) writing their password on a note stuck to their monitor.<p>[0] <a href="http://www.zdnet.com/blog/facebook/facebook-passwords-are-not-case-sensitive-update/3612" rel="nofollow">http://www.zdnet.com/blog/facebook/facebook-passwords-are-no...</a> —Actually, Facebook wasn't completely case insensitive. It only accepts the chosen password and a version with every character's case inverted.
Try making your passwords longer instead of making them harder to enter.<p>That is to say "usingthisasapassword" is ~4 million times better than using "p4ssWOrd!".
Actually, I don't see that as a big deal. Maybe it could be tweaked to have only the first one sensitive or try the all-caps/no-caps. But still, it's all in the length of the password. I prefer to have that rather than someone forcing me to use a 6-8 characters password with at least one cap, one special or any of this bullshit.