We’ve known for a long time that passwords generally suck. But what is somewhat new is all the research into how passwords are generally bad and how to fix them so that they’re better. The United States National Institute for Standards and Technology (NIST) has collected all this research and is formulating guidelines for password policies to be used across the whole of the US government.
Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!
Under the rather opaque name of “Special Publication 800-63-3: Digital Authentication Guidelines”. That’s bureaucracy for you ↩