Comment by tracker1

I tend to set password fields to varchar(400), though it's encoding info and base64 hashes.

    encoding\options\base64-salt\base64-hash-of-normalized-utf8

I keep the encoding/options so it can be backwards compatible on change... when an encoding/options isn't the current when the user logs in, it will be re-encoded/saved in the current... this is so that security can be upgraded over time.

Run normalization on composite unicode characters & look-a-likes before encoding.

I do one thing some consider bad, which is strip leading/trailing whitespace which is more often a copy-paste error, not actual password entry.