In fact, I had this argument at work when we did a security audit. Previous dev wanted to cap passwords at 8 and exclude non-ASCII. I wanted at least 60 and allow anything UTF-8 covered. I lost the argument. I had to wait for him to quit to fix it. Which was in fact the second time. I had fixed it. He put it down where he wanted it because he was extending stuff and he didn’t understand UTF-8 well enough. Then I put it back. o_0