I tried to monitor an external job in Hudson according to http://wiki.jenkins-ci.org/display/JENKINS/Monitoring+external+jobs. My password has a hash sign (#) in it, so I specified the following URL as HUDSON_HOME:
http://user@test#password@localhost/hudson/

You can see in http://fisheye.jenkins-ci.org/browse/Hudson/trunk/hudson/main/core/src/main/java/hudson/Main.java?r=HEAD that Hudson creates a java.net.URL object out of the HUDSON_HOME variable and extracts the credentials using its getUserInfo() method (http://java.sun.com/javase/6/docs/api/java/net/URL.html#getUserInfo%28%29). Because of this, it is not possible to encode the # as %23, as new URL("http://user:test%23password@localhost/hudson/").getUserInfo() returns "user:test%23password", which contains the wrong password of course.

The problem is now that Hudson does not call the URL http://localhost/hudson/ here, but instead the URL http://localhost/. This might be a bug in the implementation of the URL class, as it seems to sometimes interpret the # sign as the beginning of the URL anchor part. Here are some example return values of the methods of a new URL("http://user:test#password@localhost/hudson/") object:
getUserInfo(): "user:test#password"
getHost(): "localhost"
getPath(): ""
getRef(): "password@localhost/hudson/"

Even if this is a bug in Java, Hudson should still provide a workaround for this to work with the current and older Java versions. I could imagine three ways to do this:
1. Remove the user and password from the URL before calling URL.openConnection()
2. Call URLDecoder.decode() on URL.getUserInfo() so that I can escape the # sign with %23. This would be backwards compatible except for passwords that contain a % sign.
3. Pass the user name and password outside the URL in different environment variables or arguments.