Tricky ways to cheat the address bar

Most of the massive theft of passwords from social networks are implemented with the help of viruses that climb into the hosts and replace the authorization page, but I recently discovered an even more sophisticated method of cheating users:
yandex.ru@%68%61%62%72%61%68%61%62%72%2E%72%75 (the “trick” itself does not work everywhere, and it does not work the same everywhere).

For example, I would not always see that this is not a search engine address, but a link to a habr. In fact, we simply used an absolutely correct URL format (as defined in RFC 1728 , see section 3.1):
//<user>:<password>@<host>:<port>/<url-path>
(The. The inscription "yandex.ru" appeared in the form of a login).

The actual address of the real login is easy to encode, and when it is encoded in hexadecimal format, the typical user is unlikely to translate it into a canonical form. You can also specify the server's IP in an atypical form for the eyes ( already discussed on Habré ) and get something in the spirit of this:
vkontakte.ru*id@1297618184
And, for some reason, I am sure that you can pick up some character that looks like a question mark ...
')
UPD.: To come up with a beautiful headline and did not work, wrote at night ... =).