I had a similar kind of trojan on 1 of my sites, which had a 16 character password including special characters.
That is the problem with ready made codings for sites (which are customized later) such as this forum, wordpress, and others, where some nasty guy invests time in finding some security breach, because he knows that he will be able to infect other 100k's of sites from the same kind.
They usually either don't need your password or can extract it somehow.