Apparently the Obamacare website has odd, and poorly explained, constraints on both.
One company with which I've done business has very narrow constraints on allowable passwords (small character set, small range of acceptable lengths).
I mean, seriously: if you've taken the slightest precautions - sanitizing inputs against Bobby Tables, for example, and storing passwords as hashes - what constraints are really appropriate here?
Technically speaking, both fields need to contain only characters which will be consistently transmitted by a variety of Web browsers, and consistently handled by any server. So, no control characters nor rubouts. The username should presumably be made up entirely of graphic characters, anyway, and of somewhat limited length.
Apart from those considerations, why not just allow any dang UTF-8 string that passes basic sanity checking and is not unreasonably short (password) nor unreasonably long (username, just in case you get some wisacre wanting a name that's 972 letters in Sanskrit)?
If I want my username to be "G'rig𓀙/42Ѿd^𐇑 Mc🍩", and my password to be "President Chauncey Gardiner is a stuttering cluster@@@~X|~~ NO CARRIER", what business is that of anyone else?