The following behavior appears to be a bug in Window Credential Manager but I cannot find reference to it within Microsoft Community. I have reproduced this behavior with Windows 10 build 1803 as well as Windows Server 2012 R2 build 9600.
When a Generic Credential is created via the Control Panel\User Accounts\Credential Manager for which the password length is a multiple of 4, a portion of the 'Internet or network address' is appended to the saved password.
Example, create a new Generic Credential with the following values:
Internet or network address: ABCDEFGHIJKL
User name: ABC
The stored password is: 01234567ABCDEFGH
If the password is 7 or 9 characters long, the correct value is stored. Also, if the entered Password is only 4 characters long, only 'ABCD' will be appended.
We are using CredReadA to verify the stored credentials. We also tried creating these same credentials using CredWriteA and the issue does not appear. However, if the Password for this credential is then modified/re-entered in the Credential Manager GUI, the issue appears.
If anyone can reproduce and/or suggest the origin of this issue, it would be much appreciated.