>>With this type of URI, everything after the first @ is parsed as the host & path, correct?
Not entirely correct - everything that is after rightmost @ is host[:port]/path, and everything before leftmost : is username. Everything inbetween is password, and that is why : can only be in password, not username, but you can have @ in both username and password.