“It depends.”
It depends on what technology infrastructure sits between the user and the backend.
For example, a non-breaking space being passed in a URL will generally be firstly UTF-8 encoded and then %hex encoded. So it won’t arrive HTML-entity encoded (contrary to what @phb proposes).
But on the other hand, if the non-breaking space is passed in HTML text or in an HTML tag attribute value then it might well arrive HTML-entity encoded (exactly as @phb proposes, but it could alternatively arrive UTF-8 encoded and that’s it, or not encoded at all and that’s it). However there isn’t a clear answer for whether it would arrive using a named entity (nbsp) or a numbered entity (160), and if numbered then unclear whether it is expressed in hex or decimal. (In XML it would always be numbered in the general case.)
Either way though that has to be catered for in the backend in order to reverse those transformations. If the backend is not expecting to do that then the encoded value may end up being literally included - potentially presenting risks to the backend.
In the case of a password, provided that the user types the password consistently and provided that the technology infrastructure handles it consistently, the password might work anyway, and the user might be blissfully unaware.
However this will always be vulnerable to code changes e.g. some developer notices X years down the track that, hey, we aren’t protecting against / handling properly any of this silliness, fixes the problem, and then the user can’t log in.
I can tell you for a fact that I have seen cases of a user cut-and-pasting text into an application where the application was expecting only printable ASCII but the text actually contained a non-breaking space (instead of a regular space, a difference that is impossible for the user to see) … and then the user contacts IT asking why the field value is being rejected as “invalid”. (In this case, no transformation was being applied. The application just saw the non-breaking space character and rejected it.)
Only if coded to do that.
The best case scenario is that an actual unencoded non-breaking space ends up in the password (and gets hashed along with the rest of the password). I would in some respects consider that a commendable password but only if you know that the character will be accepted, and not encoded, and you are prepared to take the risk that a future coding change breaks your password.