we take both username and password field values as they are, and we do
make as little assumptions as possible about what they do contain. We
just transform everything into an array of bytes, using UTF-8
encoding; that's it.
Taken to its extreme, you may have a fully valid account using for
both username and password just spaces. You may end up having problems
based on how we mix together username and password values to create
your actual credentials, but in theory you could do it.