This is a point of discussion.

Currently, passwords are treated internally as strings encoded in the current locale (Unix and VMS) or code page (Windows). That is what is received from the UI API and older style password reading callbacks alike. Applications are assumed to treat them as such and to do conversions to other encodings if required, regardless of if we're talking front end or back end (such as engines, or in #2011, STORE loaders).

What needs discussing is if this is how we should do it in the future, and also what future we're talking about (some changes are most likely impossible to implement before the next major version - 1.2.0 for the moment - because of compatibility demands). For example, should we make sure that password strings are always converted to UTF8?

The question was raised in #2011.