@ is acceptable in both SQL Server and Windows passwords. In the case of Windows Authentication, SQL Server will never even be sent the actual password as authentication is offloaded to Active Directory. Sounds like an application issue to me. Something in between the login screen/dialog and the database server the application is munging the password.