Why would you even bother with prepending "tesco" unless you were reusing that "20+ psuedo-random character" string across other sites? That's shitty practice on your end.
What pisses me off about password restrictions is that they change and break my existing passwords.
Most recently, T-Mobile changed their shit to disallow some characters / reduce the length allowed, so my perfectly existing password was rejected as being "wrong", my account locked, and I had to fight with their customer service goons to get a reset. During the support session, the customer support clown actually asked for my actual password! Promptly told the bitch to fuck off and escalate the issue - 5 hours later in the middle of the night I'm FINALLY sent a reset token. I received absolutely zero communication from anyone at T-Mbolie about it.
This also happened to me with my electric utility - they say right on the page they take 16 character passwords, and I was able to set a 16 character password, but when logging in it would fail. It worked if I truncated my input to 15 characters (after setting it as the full 16).
Plenty of other sites have fucked me in similar ways. Who in the fucking shit would change password length/character policies to make them MORE restrictive? Who the fuck would do this on the standard login page that can affect existing passwords?