The length limit of VARCHAR in some RDBs is the number of UTF-32 code points.
maxLength counts an emoji and some kanji as two.

Password requirements by NIST:

https://pages.nist.gov/800-63-3/sp800-63b.html

Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.

This requires we should count an emoji (not compounded ones) or other 4-byte chracters as 1 character in a password.