1) The password reminder is sent in clear text, via email. Why go through the trouble of encrypting everything on the server if it's to send the key on a postcard later? . The solution would be to redirect the user to a page accessible via https (page in rexdesktop wouldn't work since not everybody is a subscriber).
2) There is a password length limitation in the application, but no warning whatsoever. My password ended up being truncated and I couldn't log into Rexdesktop anymore. One solution would be to make the field longer (64 chars is a good limit) and to warn the user as he types a password when he's reached the limit. Another solution would be to only accept characters up to the number of characters accepted by the application. I type 12345678, you accept 123456, then when I type 12345678, you only read 123456 and accept it. It's not a good one, but better than nothing.
Nice to have
3) we can have up to 4 different passwords if we use all 4 Rex applications. There should be a way to only have to manage one