It looks like basic authentication does not allow escaped passwords. It encodes the escape characters. For example:
Right now, the Base64Encoder will encode "user : p%40ssword" instead of "user : p@ssword". This causes a 403 Unauthorized.
It looks like it just needs a call to java.net.URLDecoder.decode before Base64Encoder.encode in core/src/main/java/hudson/Main.java.