I've been banging my head against the wall today trying to figure out why a user's password wasn't working. It turns out that Webmin does not set passwords properly if "special" characters are used in them, specifically single and double quotes.
For example, the password t53'6FS5d does not work when set through the web interface, but SSHing in as root allows the password to be set.
If there are explicitly invalid characters, the field should be checked/sanitized and the person setting the password should know about it. As it stands, there are no restrictions listed in the Web UI.