passwords using non-ascii
most input methods support non-ascii, typically in the form of unicode.
further most APIs expect unicode data in the form of UTF8 ot UTF16
There is a consistent inconsistency in the code as to the use of 8bit and 16bit characters (no use of 32bit) and free love exchanges between them. This creaes weaknesses and vulnerabilities.
all user input data structures & APIs should be standardized to UTF8 (or something else).