Counting of emojis as special characters

[phil-davis]

1. enable the special characters password policy, and set it to 10
2. enable "Restrict to these special characters" and put an emoji, e.g. 😀 in the special characters list.
3. add a user, change their password... giving only 2 😀😀 in the password - you get an error message, good.
4. add a user, change their password... giving 3 😀😀😀 in the password. The password is saved.

It seems that the smiley emoji counts as 4 characters, and 3 of them is enough to exceed the 12 special characters requirement.

I guess that this will apply to other Unicode characters whose storage is greater than 1 byte. Probably the special characters is counting bytes of special character, rather the number of "functional" characters.

Firstly, what is the actual reasonable requirement here, if people put Unicode characters in this special characters field?

[phil-davis]

I tried with the Devanagari Nepali character न - 3 of those are not enough, 4 of those gets to the 10 character limit. So I guess that Unicode character is 3 bytes long. Somebody might actually do this sort of thing in India or Russia (Cyrillic) or...

[PVince81]

@settermjd do you know if there are any best practices in such cases ?

technically we could replace strlen and find another PHP function that counts the actual chars