bcrypt truncates at 72 bytes - not characters. For multi-byte passwords (Cyrillic, emoji), the effective limit is much shorter, and if the cut lands inside a character, the emoji becomes load-bearing: the original password works, but anything that strips it locks the user out. Laravel's built-in validator doesn't catch this.
dev.to/tegos/bcrypt-and-laravel-72-bytes-not-72-characters-3jb1