And this is why the bank says you can only create a password with alphanumeric characters. Despite the huge advances of UTF-8 adoption there are still large numbers of systems out there where you can't reliably use anything other than A-Z and 0-9 as input.
Half the time a bank doing that is also reducing everything to a numeric pin and/or strictly limiting its length. Banks, on average, are a very bad model for password security.
That’s undoubtedly true, but brut force password cracking is something that banks have a relatively easy time of detecting and defeating, so one could argue that the length/char limitations are not as big a problem. I’m far more concerned that many banks (at least in the US) still only offer SMS as a second factor, or even worse, use those horrible “security questions” and call that two-factor authentication.
I guess mine isn't too bad, it allows a decent length and complexity, the only requirement is that it has to start with three digits because of their old telephone-based system where you can call and check your account balance, protected by a three-digits PIN. You can't do any transactions from it though.
Emoji might be weird symbols, still, although I make no estimation how they'll be perceived 100 years from now. Whereas Chinese, Hindi, Japanese, Cyrillic characters are not weird. There should be some reasonable subset of UTF8 supported/supportable for passphrases. The kinds of characters routinely seen printed in newspapers of record around the world.
No I get that forcing alphanumeric is a very arbitrary decision that is far from natural to a large part of the world's population and normally I would advocate for everyone to adopt Unicode.
However UTF8 passwords is a recipe for disaster that I want no part of. Passwords should be random byte strings, not a random piece of human language. Now technically alphanumeric isn't quite the same as a random byte-string but it is the one subset of text for which you can be almost certain that it will always be represented by the same bytes (although I suspect someone will point out an exception).
Note that not only does Unicode have several different binary representations, but even a sequence of code points has 4 different canonicalizations, that I cannot guarantee will always remain the same.
Once you venture out of ASCII, you will find that string comparisons are hard.
You'll need to get things into the right encoding (as the article states, UTF-16 is alive and well in some places, and there are two forms of that), and you'll probably need to do unicode normalization for some languages, because not every system will do that the same. But, normalization rules change over time, so you'll need to include the normalization used with the password processing code and storage.
