[Major] Privilege passwords are now salted!

li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java

@@ -126,7 +126,7 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements
 	}
 
 	@Override
-	public Certificate authenticate(String username, byte[] password) {
+	public Certificate authenticate(String username, char[] password) {
 		assertContainerStarted();
 		Certificate certificate = this.privilegeHandler.authenticate(username, password);
 		StrolchRealm realm = getContainer().getRealm(certificate);

li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java

@@ -41,7 +41,7 @@ public interface PrivilegeHandler {
 	 * 
 	 * @see li.strolch.privilege.handler.PrivilegeHandler#authenticate(String, byte[])
 	 */
-	public Certificate authenticate(String username, byte[] password);
+	public Certificate authenticate(String username, char[] password);
 
 	/**
 	 * Validate that the certificate is still valid

li.strolch.agent/src/test/java/li/strolch/agent/ComponentContainerTest.java

@@ -168,7 +168,7 @@ public class ComponentContainerTest {
 
 	private static Certificate login(StrolchAgent agent) {
 		PrivilegeHandler privilegeHandler = agent.getContainer().getPrivilegeHandler();
-		return privilegeHandler.authenticate("test", "test".getBytes());
+		return privilegeHandler.authenticate("test", "test".toCharArray());
 	}
 
 	public static void testPersistenceContainer(StrolchAgent agent) {

li.strolch.agent/src/test/java/li/strolch/policytest/PolicyHandlerTest.java

@@ -44,7 +44,7 @@ public class PolicyHandlerTest {
 			PolicyHandler policyHandler = agent.getContainer().getComponent(PolicyHandler.class);
 
 			ComponentContainer container = agent.getContainer();
-			Certificate certificate = container.getPrivilegeHandler().authenticate("test", "test".getBytes());
+			Certificate certificate = container.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 			try (StrolchTransaction tx = container.getRealm(StrolchConstants.DEFAULT_REALM).openTx(certificate,
 					"test")) {
 

li.strolch.agent/src/test/java/li/strolch/runtime/query/enums/EnumHandlerTest.java

@@ -43,7 +43,7 @@ public class EnumHandlerTest {
 
 			ComponentContainer container = agent.getContainer();
 
-			Certificate certificate = container.getPrivilegeHandler().authenticate("test", "test".getBytes());
+			Certificate certificate = container.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 
 			EnumHandler enumHandler = container.getComponent(EnumHandler.class);
 			StrolchEnum sexEnum = enumHandler.getEnum(certificate, "sex", Locale.ENGLISH);

li.strolch.agent/src/test/java/li/strolch/runtime/query/inmemory/FindByLocatorTest.java

@@ -52,7 +52,7 @@ public class FindByLocatorTest {
 		runtimeMock = new RuntimeMock(PATH_FIND_BY_LOCATOR_RUNTIME, ComponentContainerTest.PATH_TRANSIENT_CONTAINER);
 		runtimeMock.mockRuntime();
 		runtimeMock.startContainer();
-		certificate = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		certificate = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 
 	}
 

li.strolch.agent/src/test/java/li/strolch/runtime/query/inmemory/QueryTest.java

@@ -52,7 +52,7 @@ public class QueryTest {
 	public static final String PATH_EMPTY_RUNTIME = "target/QueryTest/"; //$NON-NLS-1$
 
 	private Certificate login(ComponentContainer container) {
-		return container.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		return container.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 	}
 
 	@Test

li.strolch.agent/src/test/resources/cachedtest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/cachedtest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.agent/src/test/resources/emptytest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/emptytest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.agent/src/test/resources/minimaltest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/minimaltest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.agent/src/test/resources/realmtest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/realmtest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.agent/src/test/resources/transactionaltest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/transactionaltest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.agent/src/test/resources/transienttest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/transienttest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.agent/src/test/resources/versioningtest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.agent/src/test/resources/versioningtest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.performancetest/src/runtime_postgresql/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.performancetest/src/runtime_postgresql/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="cached" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="cached" password="14df65e4ec6adae5e426dff1248f8a4bafc9791b7d5a4dfad89b00e06803e679" salt="636163686564">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -18,7 +18,7 @@
 			<Property name="realm" value="cached" />
 		</Properties>
 	</User>
-	<User userId="2" username="transactional" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="transactional" password="67252256c67e43fd6674cfd5e5d47536af5b8bc40eb297c1e9edf5da5fc1c2a6" salt="7472616e73616374696f6e616c">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.performancetest/src/runtime_postgresql_versioning/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.performancetest/src/runtime_postgresql_versioning/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="cached" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="cached" password="14df65e4ec6adae5e426dff1248f8a4bafc9791b7d5a4dfad89b00e06803e679" salt="636163686564">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -18,7 +18,7 @@
 			<Property name="realm" value="cached" />
 		</Properties>
 	</User>
-	<User userId="2" username="transactional" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="transactional" password="67252256c67e43fd6674cfd5e5d47536af5b8bc40eb297c1e9edf5da5fc1c2a6" salt="7472616e73616374696f6e616c">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.performancetest/src/runtime_transient/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.performancetest/src/runtime_transient/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="transient" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="transient" password="cc6072ac76d018d95c964ca3d8d1d934a2bf66a369bdf2ff5a539bf23ecde11b" salt="7472616e7369656e74">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.performancetest/src/runtime_xml/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.performancetest/src/runtime_xml/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="cached" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="cached" password="14df65e4ec6adae5e426dff1248f8a4bafc9791b7d5a4dfad89b00e06803e679" salt="636163686564">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -18,7 +18,7 @@
 			<Property name="realm" value="cached" />
 		</Properties>
 	</User>
-	<User userId="2" username="transactional" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="transactional" password="67252256c67e43fd6674cfd5e5d47536af5b8bc40eb297c1e9edf5da5fc1c2a6" salt="7472616e73616374696f6e616c">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.performancetest/src/test/java/li/strolch/performance/PerformanceTest.java

@@ -18,7 +18,7 @@ public abstract class PerformanceTest {
 	@Test
 	public void runPerformanceTestCached() {
 
-		Certificate certificate = runtime().getPrivilegeHandler().authenticate("cached", "test".getBytes());
+		Certificate certificate = runtime().getPrivilegeHandler().authenticate("cached", "test".toCharArray());
 
 		ServiceHandler svcHandler = runtime().getServiceHandler();
 		svcHandler.doService(certificate, new PerformanceTestService(), argInstance());
@@ -27,7 +27,7 @@ public abstract class PerformanceTest {
 	@Test
 	public void runPerformanceTestTransactional() {
 
-		Certificate certificate = runtime().getPrivilegeHandler().authenticate("transactional", "test".getBytes());
+		Certificate certificate = runtime().getPrivilegeHandler().authenticate("transactional", "test".toCharArray());
 
 		ServiceHandler svcHandler = runtime().getServiceHandler();
 		svcHandler.doService(certificate, new PerformanceTestService(), argInstance());

li.strolch.performancetest/src/test/java/li/strolch/performance/PerformanceTransientTest.java

@@ -50,7 +50,7 @@ public class PerformanceTransientTest {
 	@Test
 	public void runPerformanceTest() {
 
-		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("transient", "test".getBytes());
+		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("transient", "test".toCharArray());
 
 		ServiceHandler svcHandler = runtimeMock.getServiceHandler();
 		svcHandler.doService(certificate, new PerformanceTestService(), new PerformanceTestArgument());

li.strolch.persistence.postgresql/src/test/java/li/strolch/persistence/postgresql/dao/test/ActivityQueryTest.java

@@ -59,7 +59,7 @@ public class ActivityQueryTest extends QueryTest {
 		new File(rootPath, DB_STORE_PATH_DIR).mkdir();
 		runtimeMock.startContainer();
 
-		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 		StrolchRealm realm = runtimeMock.getRealm(StrolchConstants.DEFAULT_REALM);
 		try (StrolchTransaction tx = realm.openTx(cert, "test")) {
 			ActivityMap activityMap = tx.getActivityMap();

li.strolch.persistence.postgresql/src/test/java/li/strolch/persistence/postgresql/dao/test/AuditQueryTest.java

@@ -100,7 +100,7 @@ public class AuditQueryTest {
 		cal.set(2000, 11, 1);
 		future = cal.getTime();
 
-		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 		StrolchRealm realm = runtimeMock.getRealm(StrolchConstants.DEFAULT_REALM);
 		int i = 0;
 		try (StrolchTransaction tx = realm.openTx(cert, "test")) {

li.strolch.persistence.postgresql/src/test/java/li/strolch/persistence/postgresql/dao/test/ObserverUpdateTest.java

@@ -120,7 +120,7 @@ public class ObserverUpdateTest {
 		realm.getObserverHandler().registerObserver(Tags.RESOURCE, observer);
 
 		PrivilegeHandler privilegeHandler = runtimeMock.getAgent().getContainer().getPrivilegeHandler();
-		Certificate certificate = privilegeHandler.authenticate("test", "test".getBytes()); //$NON-NLS-1$ //$NON-NLS-2$
+		Certificate certificate = privilegeHandler.authenticate("test", "test".toCharArray()); //$NON-NLS-1$ //$NON-NLS-2$
 
 		// create order
 		Order newOrder = createOrder("MyTestOrder", "Test Name", "TestType", new Date(), State.CREATED); //$NON-NLS-1$//$NON-NLS-2$ //$NON-NLS-3$

li.strolch.persistence.postgresql/src/test/java/li/strolch/persistence/postgresql/dao/test/OrderQueryTest.java

@@ -78,7 +78,7 @@ public class OrderQueryTest extends QueryTest {
 		cal.set(2000, 11, 1);
 		future = cal.getTime();
 
-		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 		StrolchRealm realm = runtimeMock.getRealm(StrolchConstants.DEFAULT_REALM);
 		try (StrolchTransaction tx = realm.openTx(cert, "test")) {
 			OrderMap orderMap = tx.getOrderMap();

li.strolch.persistence.postgresql/src/test/java/li/strolch/persistence/postgresql/dao/test/RealmTest.java

@@ -82,7 +82,7 @@ public class RealmTest extends AbstractModelTest {
 		String type = "Bla"; //$NON-NLS-1$
 
 		PrivilegeHandler privilegeHandler = runtimeMock.getAgent().getContainer().getPrivilegeHandler();
-		Certificate certificate = privilegeHandler.authenticate(TEST, TEST.getBytes());
+		Certificate certificate = privilegeHandler.authenticate(TEST, TEST.toCharArray());
 
 		{
 			StrolchRealm firstRealm = runtimeMock.getRealm(FIRST);

li.strolch.persistence.postgresql/src/test/java/li/strolch/persistence/postgresql/dao/test/ResourceDaoTest.java

@@ -55,7 +55,7 @@ public class ResourceDaoTest extends QueryTest {
 		new File(rootPath, DB_STORE_PATH_DIR).mkdir();
 		runtimeMock.startContainer();
 
-		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		Certificate cert = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 		StrolchRealm realm = runtimeMock.getRealm(StrolchConstants.DEFAULT_REALM);
 		try (StrolchTransaction tx = realm.openTx(cert, "test")) {
 

li.strolch.persistence.postgresql/src/test/resources/cachedruntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.postgresql/src/test/resources/cachedruntime/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.postgresql/src/test/resources/cachedruntimeVersioning/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.postgresql/src/test/resources/cachedruntimeVersioning/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.postgresql/src/test/resources/realmtest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.postgresql/src/test/resources/realmtest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.postgresql/src/test/resources/transactionalruntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.postgresql/src/test/resources/transactionalruntime/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.postgresql/src/test/resources/transactionalruntimeVersioning/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.postgresql/src/test/resources/transactionalruntimeVersioning/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.xml/src/test/resources/cachedruntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.xml/src/test/resources/cachedruntime/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.xml/src/test/resources/existingDbRuntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.xml/src/test/resources/existingDbRuntime/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.persistence.xml/src/test/resources/transactionalruntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.persistence.xml/src/test/resources/transactionalruntime/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.planningwebapp/src/main/webapp/WEB-INF/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.planningwebapp/src/main/webapp/WEB-INF/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="1" username="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918">
+	<User userId="1" username="admin" password="cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344" salt="61646d696e">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -20,7 +20,7 @@
 		</Properties>
 	</User>
 
-	<User userId="2" username="bob" password="81b637d8fcd2c6da6359e6963113a1170de795e4b725b84d1e0b4cfd9ec58ce9">
+	<User userId="2" username="bob" password="d4466de3cad2a005930c4317ad0fcb307422c63b8febd5d7721195cd511edde5" salt="626f62">
 		<Firstname>Bob</Firstname>
 		<Lastname>Bernstein</Lastname>
 		<State>ENABLED</State>
@@ -30,7 +30,7 @@
 		</Roles>
 
 	</User>
-	<User userId="3" username="jill" password="8cf37351b60f00084392043ce2e6256b96cea92949f90c7abce464cf164fbfa6">
+	<User userId="3" username="jill" password="b7d33c8305bf89ed21be111270310a7450198be8be6b362e52999c2500eb5218" salt="6a696c6c">
 		<Firstname>Jill</Firstname>
 		<Lastname>Johnson</Lastname>
 		<State>ENABLED</State>
@@ -40,7 +40,7 @@
 		</Roles>
 
 	</User>
-	<User userId="4" username="sysAdmin" password="8cffb494ef5ff3f74a571206e141d4fb84f833e431b98c8b3be43727c4cbddc1">
+	<User userId="4" username="sysAdmin" password="fd6a5e8f6a59fbb18109444c5ea99ac326353cd664cc8d61a3a785081e7f4aa0" salt="73797341646d696e">
 		<Firstname>System User</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>SYSTEM</State>

li.strolch.privilege/config/PrivilegeConfig.xml

@@ -15,7 +15,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.privilege/config/PrivilegeConfigMerge.xml

@@ -11,7 +11,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.privilege/config/PrivilegeUsers.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Users>
 
-	<User userId="1" username="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918">
+	<User userId="1" username="admin" password="cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344" salt="61646d696e">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.privilege/config/PrivilegeUsersMerge.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <Users>
 
-	<User userId="1" username="userA" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918">
+	<User userId="1" username="userA" password="cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344" salt="61646d696e">
 		<Firstname>System User</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -12,7 +12,7 @@
 		</Roles>
 	</User>
 
-	<User userId="2" username="userB" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918">
+	<User userId="2" username="userB" password="cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344" salt="61646d696e">
 		<Firstname>System User</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.privilege/src/main/java/Temp.java

@@ -0,0 +1,80 @@
+import java.io.UnsupportedEncodingException;
+import java.security.SecureRandom;
+import java.text.MessageFormat;
+
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+
+public class Temp {
+
+	public static void main(String[] args) throws Exception {
+
+		for (int i = 0; i < 10; i++) {
+
+			long start = System.nanoTime();
+
+			byte[] bytes = new byte[16];
+			SecureRandom secureRandom = new SecureRandom();
+			secureRandom.nextBytes(bytes);
+			String token = getHexString(bytes);
+			System.out.println(token);
+
+			String algorithm = "PBKDF2WithHmacSHA512";
+			char[] password = "admin".toCharArray();
+			byte[] salt = "admin".getBytes();
+			int iterations = 10000;
+			int keyLength = 256;
+
+			SecretKeyFactory skf = SecretKeyFactory.getInstance(algorithm);
+			PBEKeySpec spec = new PBEKeySpec(password, salt, iterations, keyLength);
+			SecretKey key = skf.generateSecret(spec);
+			byte[] res = key.getEncoded();
+
+			System.out.println("Password hash: " + getHexString(res));
+			System.out.println("Salt: " + getHexString(salt));
+
+			long end = System.nanoTime();
+			System.out.println("Took: " + formatNanoDuration(end - start));
+		}
+	}
+
+	public static String getHexString(byte[] raw) throws RuntimeException {
+		try {
+			byte[] hex = new byte[2 * raw.length];
+			int index = 0;
+
+			for (byte b : raw) {
+				int v = b & 0xFF;
+				hex[index++] = HEX_CHAR_TABLE[v >>> 4];
+				hex[index++] = HEX_CHAR_TABLE[v & 0xF];
+			}
+
+			return new String(hex, "ASCII"); //$NON-NLS-1$
+
+		} catch (UnsupportedEncodingException e) {
+			String msg = MessageFormat.format("Something went wrong while converting to HEX: {0}", e.getMessage()); //$NON-NLS-1$
+			throw new RuntimeException(msg, e);
+		}
+	}
+
+	public static String formatNanoDuration(final long nanos) {
+		if (nanos >= 3600000000000L) {
+			return String.format("%.0fh", (nanos / 3600000000000.0D)); //$NON-NLS-1$
+		} else if (nanos >= 60000000000L) {
+			return String.format("%.0fm", (nanos / 60000000000.0D)); //$NON-NLS-1$
+		} else if (nanos >= 1000000000L) {
+			return String.format("%.0fs", (nanos / 1000000000.0D)); //$NON-NLS-1$
+		} else if (nanos >= 1000000L) {
+			return String.format("%.0fms", (nanos / 1000000.0D)); //$NON-NLS-1$
+		} else if (nanos >= 1000L) {
+			return String.format("%.0fus", (nanos / 1000.0D)); //$NON-NLS-1$
+		} else {
+			return nanos + "ns"; //$NON-NLS-1$
+		}
+	}
+
+	private static final byte[] HEX_CHAR_TABLE = { (byte) '0', (byte) '1', (byte) '2', (byte) '3', (byte) '4',
+			(byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9', (byte) 'a', (byte) 'b', (byte) 'c', (byte) 'd',
+			(byte) 'e', (byte) 'f' };
+}

li.strolch.privilege/src/main/java/li/strolch/privilege/handler/DefaultEncryptionHandler.java

@@ -15,13 +15,17 @@
  */
 package li.strolch.privilege.handler;
 
-import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
 import java.text.MessageFormat;
 import java.util.Map;
 
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -37,7 +41,7 @@ import li.strolch.utils.helper.StringHelper;
  * 
  * Required parameters:
  * <ul>
- * <li> {@link XmlConstants#XML_PARAM_HASH_ALGORITHM}</li>
+ * <li>{@link XmlConstants#XML_PARAM_HASH_ALGORITHM}</li>
  * </ul>
  * 
  * @author Robert von Burg <eitch@eitchnet.ch>
@@ -55,40 +59,47 @@ public class DefaultEncryptionHandler implements EncryptionHandler {
 	private SecureRandom secureRandom;
 
 	/**
-	 * The configured hash algorithm for this instance
+	 * The configured algorithm for this instance
 	 */
-	private String hashAlgorithm;
+	private String algorithm;
 
-	@Override
+	/**
-	public String convertToHash(String string) {
+	 * The number of iterations to perform the hashing with
-		return convertToHash(string.getBytes());
+	 */
-	}
+	private int iterations;
 
-	@Override
+	/**
-	public String convertToHash(byte[] bytes) {
+	 * The length of the secure key for the hashing
-		try {
+	 */
-
+	private int keyLength;
-			return StringHelper.hashAsHex(this.hashAlgorithm, bytes);
-
-		} catch (RuntimeException e) {
-			if (e.getCause() == null)
-				throw e;
-			if (e.getCause().getClass().equals(NoSuchAlgorithmException.class))
-				throw new PrivilegeException(
-						MessageFormat.format("Algorithm {0} was not found!", this.hashAlgorithm), e.getCause()); //$NON-NLS-1$
-			if (e.getCause().getClass().equals(UnsupportedEncodingException.class))
-				throw new PrivilegeException("Charset ASCII is not supported!", e.getCause()); //$NON-NLS-1$
-
-			throw e;
-		}
-	}
 
 	@Override
 	public String nextToken() {
 		byte[] bytes = new byte[16];
 		this.secureRandom.nextBytes(bytes);
-		String randomString = new String(bytes);
+		return StringHelper.getHexString(bytes);
-		return randomString;
+	}
+
+	@Override
+	public byte[] nextSalt() {
+		byte[] bytes = new byte[32];
+		this.secureRandom.nextBytes(bytes);
+		return bytes;
+	}
+
+	@Override
+	public byte[] hashPassword(char[] password, byte[] salt) {
+
+		try {
+			SecretKeyFactory skf = SecretKeyFactory.getInstance(this.algorithm);
+			PBEKeySpec spec = new PBEKeySpec(password, salt, this.iterations, this.keyLength);
+			SecretKey key = skf.generateSecret(spec);
+			byte[] res = key.getEncoded();
+			return res;
+
+		} catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+			throw new IllegalStateException(e);
+		}
 	}
 
 	@Override
@@ -97,18 +108,14 @@ public class DefaultEncryptionHandler implements EncryptionHandler {
 		this.secureRandom = new SecureRandom();
 
 		// get hash algorithm parameters
-		this.hashAlgorithm = parameterMap.get(XmlConstants.XML_PARAM_HASH_ALGORITHM);
+		this.algorithm = parameterMap.getOrDefault(XmlConstants.XML_PARAM_HASH_ALGORITHM, "PBKDF2WithHmacSHA512");
-		if (this.hashAlgorithm == null || this.hashAlgorithm.isEmpty()) {
+		this.iterations = Integer.parseInt(parameterMap.getOrDefault(XmlConstants.XML_PARAM_HASH_ITERATIONS, "200000"));
-			String msg = "[{0}] Defined parameter {1} is invalid"; //$NON-NLS-1$
+		this.keyLength = Integer.parseInt(parameterMap.getOrDefault(XmlConstants.XML_PARAM_HASH_KEY_LENGTH, "256"));
-			msg = MessageFormat.format(msg, EncryptionHandler.class.getName(), XmlConstants.XML_PARAM_HASH_ALGORITHM);
-			throw new PrivilegeException(msg);
-		}
 
 		// test hash algorithm
 		try {
-			convertToHash("test"); //$NON-NLS-1$
+			hashPassword("test".toCharArray(), "test".getBytes()); //$NON-NLS-1$
-			DefaultEncryptionHandler.logger.info(MessageFormat
+			DefaultEncryptionHandler.logger.info(MessageFormat.format("Using hashing algorithm {0}", this.algorithm)); //$NON-NLS-1$
-					.format("Using hashing algorithm {0}", this.hashAlgorithm)); //$NON-NLS-1$
 		} catch (Exception e) {
 			String msg = "[{0}] Defined parameter {1} is invalid because of underlying exception: {2}"; //$NON-NLS-1$
 			msg = MessageFormat.format(msg, EncryptionHandler.class.getName(), XmlConstants.XML_PARAM_HASH_ALGORITHM,

li.strolch.privilege/src/main/java/li/strolch/privilege/handler/DefaultPrivilegeHandler.java

@@ -404,7 +404,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	@Override
-	public UserRep addUser(Certificate certificate, UserRep userRepParam, byte[] password) {
+	public UserRep addUser(Certificate certificate, UserRep userRepParam, char[] password) {
 		try {
 
 			// validate user actually has this type of privilege
@@ -433,18 +433,22 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 				throw new PrivilegeException(MessageFormat.format(msg, userRep.getUsername()));
 			}
 
-			String passwordHash = null;
+			byte[] passwordHash = null;
+			byte[] salt = null;
 			if (password != null) {
 
 				// validate password meets basic requirements
 				validatePassword(password);
 
+				// get new salt for user
+				salt = this.encryptionHandler.nextSalt();
+
 				// hash password
-				passwordHash = this.encryptionHandler.convertToHash(password);
+				passwordHash = this.encryptionHandler.hashPassword(password, salt);
 			}
 
 			// create new user
-			User newUser = createUser(userRep, passwordHash);
+			User newUser = createUser(userRep, passwordHash, salt);
 
 			// detect privilege conflicts
 			assertNoPrivilegeConflict(newUser);
@@ -465,7 +469,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	@Override
-	public UserRep replaceUser(Certificate certificate, UserRep userRep, byte[] password) {
+	public UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password) {
 		try {
 
 			// validate user actually has this type of privilege
@@ -491,17 +495,21 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 				throw new PrivilegeException(MessageFormat.format(msg, userRep.getUsername()));
 			}
 
-			String passwordHash = null;
+			byte[] passwordHash = null;
+			byte[] salt = null;
 			if (password != null) {
 
 				// validate password meets basic requirements
 				validatePassword(password);
 
+				// get new salt for user
+				salt = this.encryptionHandler.nextSalt();
+
 				// hash password
-				passwordHash = this.encryptionHandler.convertToHash(password);
+				passwordHash = this.encryptionHandler.hashPassword(password, salt);
 			}
 
-			User newUser = createUser(userRep, passwordHash);
+			User newUser = createUser(userRep, passwordHash, salt);
 
 			// detect privilege conflicts
 			assertNoPrivilegeConflict(newUser);
@@ -532,8 +540,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		}
 	}
 
-	private User createUser(UserRep userRep, String passwordHash) {
+	private User createUser(UserRep userRep, byte[] passwordHash, byte[] salt) {
-		User user = new User(userRep.getUserId(), userRep.getUsername(), passwordHash, userRep.getFirstname(),
+		User user = new User(userRep.getUserId(), userRep.getUsername(), passwordHash, salt, userRep.getFirstname(),
 				userRep.getLastname(), userRep.getUserState(), userRep.getRoles(), userRep.getLocale(),
 				userRep.getPropertyMap());
 		return user;
@@ -563,7 +571,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
 		String userId = existingUser.getUserId();
 		String username = existingUser.getUsername();
-		String password = existingUser.getPassword();
+		byte[] password = existingUser.getPassword();
+		byte[] salt = existingUser.getSalt();
 		String firstname = existingUser.getFirstname();
 		String lastname = existingUser.getLastname();
 		UserState userState = existingUser.getUserState();
@@ -582,7 +591,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 			propertyMap = userRep.getPropertyMap();
 
 		// create new user
-		User newUser = new User(userId, username, password, firstname, lastname, userState, roles, locale, propertyMap);
+		User newUser = new User(userId, username, password, salt, firstname, lastname, userState, roles, locale,
+				propertyMap);
 
 		// detect privilege conflicts
 		assertNoPrivilegeConflict(newUser);
@@ -657,8 +667,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		newRoles.add(roleName);
 
 		User newUser = new User(existingUser.getUserId(), existingUser.getUsername(), existingUser.getPassword(),
-				existingUser.getFirstname(), existingUser.getLastname(), existingUser.getUserState(), newRoles,
+				existingUser.getSalt(), existingUser.getFirstname(), existingUser.getLastname(),
-				existingUser.getLocale(), existingUser.getProperties());
+				existingUser.getUserState(), newRoles, existingUser.getLocale(), existingUser.getProperties());
 
 		// detect privilege conflicts
 		assertNoPrivilegeConflict(newUser);
@@ -699,8 +709,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		Set<String> newRoles = new HashSet<>(currentRoles);
 		newRoles.remove(roleName);
 		User newUser = new User(existingUser.getUserId(), existingUser.getUsername(), existingUser.getPassword(),
-				existingUser.getFirstname(), existingUser.getLastname(), existingUser.getUserState(), newRoles,
+				existingUser.getSalt(), existingUser.getFirstname(), existingUser.getLastname(),
-				existingUser.getLocale(), existingUser.getProperties());
+				existingUser.getUserState(), newRoles, existingUser.getLocale(), existingUser.getProperties());
 
 		// delegate user replacement to persistence handler
 		this.persistenceHandler.replaceUser(newUser);
@@ -725,8 +735,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
 		// create new user
 		User newUser = new User(existingUser.getUserId(), existingUser.getUsername(), existingUser.getPassword(),
-				existingUser.getFirstname(), existingUser.getLastname(), existingUser.getUserState(),
+				existingUser.getSalt(), existingUser.getFirstname(), existingUser.getLastname(),
-				existingUser.getRoles(), locale, existingUser.getProperties());
+				existingUser.getUserState(), existingUser.getRoles(), locale, existingUser.getProperties());
 
 		// if the user is not setting their own locale, then make sure this user may set this user's locale
 		if (!certificate.getUsername().equals(username)) {
@@ -747,7 +757,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	@Override
-	public void setUserPassword(Certificate certificate, String username, byte[] password) {
+	public void setUserPassword(Certificate certificate, String username, char[] password) {
 		try {
 
 			// validate user actually has this type of privilege
@@ -760,18 +770,22 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 				throw new PrivilegeException(MessageFormat.format("User {0} does not exist!", username)); //$NON-NLS-1$
 			}
 
-			String passwordHash = null;
+			byte[] passwordHash = null;
+			byte[] salt = null;
 			if (password != null) {
 
 				// validate password meets basic requirements
 				validatePassword(password);
 
+				// get new salt for user
+				salt = this.encryptionHandler.nextSalt();
+
 				// hash password
-				passwordHash = this.encryptionHandler.convertToHash(password);
+				passwordHash = this.encryptionHandler.hashPassword(password, salt);
 			}
 
 			// create new user
-			User newUser = new User(existingUser.getUserId(), existingUser.getUsername(), passwordHash,
+			User newUser = new User(existingUser.getUserId(), existingUser.getUsername(), passwordHash, salt,
 					existingUser.getFirstname(), existingUser.getLastname(), existingUser.getUserState(),
 					existingUser.getRoles(), existingUser.getLocale(), existingUser.getProperties());
 
@@ -815,8 +829,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
 		// create new user
 		User newUser = new User(existingUser.getUserId(), existingUser.getUsername(), existingUser.getPassword(),
-				existingUser.getFirstname(), existingUser.getLastname(), state, existingUser.getRoles(),
+				existingUser.getSalt(), existingUser.getFirstname(), existingUser.getLastname(), state,
-				existingUser.getLocale(), existingUser.getProperties());
+				existingUser.getRoles(), existingUser.getLocale(), existingUser.getProperties());
 
 		// validate that this user may modify this user's state
 		prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_SET_USER_STATE, new Tuple(existingUser, newUser)));
@@ -1059,7 +1073,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 
 		// validate the response
 		UserChallenge userChallenge = this.userChallengeHandler.validateResponse(user, challenge);
-		String authToken = this.encryptionHandler.convertToHash(this.encryptionHandler.nextToken());
+		String authToken = this.encryptionHandler.nextToken();
 		String sessionId = UUID.randomUUID().toString();
 
 		// create a new certificate, with details of the user
@@ -1077,7 +1091,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	@Override
-	public Certificate authenticate(String username, byte[] password) {
+	public Certificate authenticate(String username, char[] password) {
 
 		try {
 			// username must be at least 2 characters in length
@@ -1097,7 +1111,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 			}
 
 			// get 2 auth tokens
-			String authToken = this.encryptionHandler.convertToHash(this.encryptionHandler.nextToken());
+			String authToken = this.encryptionHandler.nextToken();
 
 			// get next session id
 			String sessionId = UUID.randomUUID().toString();
@@ -1232,15 +1246,12 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	 * @throws InvalidCredentialsException
 	 *             if the given credentials are invalid, the user does not exist, or has no password set
 	 */
-	private User checkCredentialsAndUserState(String username, byte[] password)
+	private User checkCredentialsAndUserState(String username, char[] password)
 			throws InvalidCredentialsException, AccessDeniedException {
 
 		// and validate the password
 		validatePassword(password);
 
-		// we only work with hashed passwords
-		String passwordHash = this.encryptionHandler.convertToHash(password);
-
 		// get user object
 		User user = this.persistenceHandler.getUser(username);
 		// no user means no authentication
@@ -1256,14 +1267,6 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 			throw new InvalidCredentialsException(msg);
 		}
 
-		// validate password
-		String pwHash = user.getPassword();
-		if (pwHash == null)
-			throw new AccessDeniedException(
-					MessageFormat.format("User {0} has no password and may not login!", username)); //$NON-NLS-1$
-		if (!pwHash.equals(passwordHash))
-			throw new InvalidCredentialsException(MessageFormat.format("Password is incorrect for {0}", username)); //$NON-NLS-1$
-
 		// validate if user is allowed to login
 		// this also capture the trying to login of SYSTEM user
 		if (user.getUserState() != UserState.ENABLED) {
@@ -1272,6 +1275,25 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 			throw new AccessDeniedException(msg);
 		}
 
+		byte[] pwHash = user.getPassword();
+		if (pwHash == null)
+			throw new AccessDeniedException(
+					MessageFormat.format("User {0} has no password and may not login!", username)); //$NON-NLS-1$
+		byte[] salt = user.getSalt();
+		if (salt == null)
+			throw new AccessDeniedException(MessageFormat.format("User {0} has no salt and may not login!", salt)); //$NON-NLS-1$
+
+		// we only work with hashed passwords
+		byte[] passwordHash = this.encryptionHandler.hashPassword(password, salt);
+
+		logger.info("New hash: " + StringHelper.getHexString(passwordHash));
+		logger.info("User hash: " + StringHelper.getHexString(pwHash));
+		logger.info("User salt: " + StringHelper.getHexString(salt));
+
+		// validate password
+		if (!Arrays.equals(passwordHash, pwHash))
+			throw new InvalidCredentialsException(MessageFormat.format("Password is incorrect for {0}", username)); //$NON-NLS-1$
+
 		return user;
 	}
 
@@ -1426,10 +1448,10 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	/**
 	 * This simple implementation validates that the password is not null, and that the password string is not empty
 	 * 
-	 * @see li.strolch.privilege.handler.PrivilegeHandler#validatePassword(byte[])
+	 * @see li.strolch.privilege.handler.PrivilegeHandler#validatePassword(char[])
 	 */
 	@Override
-	public void validatePassword(byte[] password) throws PrivilegeException {
+	public void validatePassword(char[] password) throws PrivilegeException {
 
 		if (password == null || password.length == 0) {
 			throw new PrivilegeException("A password may not be empty!"); //$NON-NLS-1$
@@ -1708,13 +1730,13 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 	}
 
 	/**
-	 * Passwords should not be kept as strings, as string are immutable, this method thus clears the byte array so that
+	 * Passwords should not be kept as strings, as string are immutable, this method thus clears the char array so that
 	 * the password is not in memory anymore
 	 * 
 	 * @param password
-	 *            the byte array containing the passwort which is to be set to zeroes
+	 *            the char array containing the passwort which is to be set to zeroes
 	 */
-	private void clearPassword(byte[] password) {
+	private void clearPassword(char[] password) {
 		if (password != null) {
 			for (int i = 0; i < password.length; i++) {
 				password[i] = 0;
@@ -1797,7 +1819,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		}
 
 		// validate password
-		String pwHash = user.getPassword();
+		byte[] pwHash = user.getPassword();
 		if (pwHash != null) {
 			String msg = MessageFormat.format("System users must not have a password: {0}", systemUsername); //$NON-NLS-1$
 			throw new AccessDeniedException(msg);

li.strolch.privilege/src/main/java/li/strolch/privilege/handler/EncryptionHandler.java

@@ -26,29 +26,30 @@ import java.util.Map;
 public interface EncryptionHandler {
 
 	/**
-	 * Calculates or generates a token which can be used to identify certificates and so forth
+	 * Generates a token which can be used to identify certificates and so forth
 	 * 
-	 * @return the secure token
+	 * @return a new token
 	 */
 	public String nextToken();
 
 	/**
-	 * Converts a given string, e.g. a password to a hash which is defined by the concrete implementation
+	 * Generates a token which can be used to identify certificates and so forth
 	 * 
-	 * @param string
+	 * @return a new token
-	 *            the string to convert
-	 * @return the hash of the string after converting
 	 */
-	public String convertToHash(String string);
+	public byte[] nextSalt();
 
 	/**
-	 * Converts a given byte array, e.g. a password to a hash which is defined by the concrete implementation
+	 * Hashes the given password with the given salt with the configured algorithm
 	 * 
-	 * @param bytes
+	 * @param password
-	 *            the bytes to convert
+	 *            the password
-	 * @return the hash of the string after converting
+	 * @param salt
+	 *            the salt
+	 * 
+	 * @return the hashed password
 	 */
-	public String convertToHash(byte[] bytes);
+	public byte[] hashPassword(final char[] password, final byte[] salt);
 
 	/**
 	 * Initialize the concrete {@link EncryptionHandler}. The passed parameter map contains any configuration the

li.strolch.privilege/src/main/java/li/strolch/privilege/handler/PrivilegeHandler.java

@@ -331,7 +331,7 @@ public interface PrivilegeHandler {
 	 * 
 	 * <p>
 	 * If the password given is null, then the user is created, but can not not login! Otherwise the password must meet
-	 * the requirements of the implementation under {@link PrivilegeHandler#validatePassword(byte[])}
+	 * the requirements of the implementation under {@link PrivilegeHandler#validatePassword(char[])}
 	 * </p>
 	 * 
 	 * @param certificate
@@ -341,14 +341,14 @@ public interface PrivilegeHandler {
 	 * @param password
 	 *            the password of the new user. If the password is null, then this is accepted but the user can not
 	 *            login, otherwise the password must be validated against
-	 *            {@link PrivilegeHandler#validatePassword(byte[])}
+	 *            {@link PrivilegeHandler#validatePassword(char[])}
 	 * 
 	 * @throws AccessDeniedException
 	 *             if the user for this certificate may not perform the action
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or the user already exists
 	 */
-	public UserRep addUser(Certificate certificate, UserRep userRep, byte[] password)
+	public UserRep addUser(Certificate certificate, UserRep userRep, char[] password)
 			throws AccessDeniedException, PrivilegeException;
 
 	/**
@@ -390,7 +390,7 @@ public interface PrivilegeHandler {
 	 * 
 	 * <p>
 	 * If the password given is null, then the user is created, but can not not login! Otherwise the password must meet
-	 * the requirements of the implementation under {@link PrivilegeHandler#validatePassword(byte[])}
+	 * the requirements of the implementation under {@link PrivilegeHandler#validatePassword(char[])}
 	 * </p>
 	 * 
 	 * @param certificate
@@ -400,14 +400,14 @@ public interface PrivilegeHandler {
 	 * @param password
 	 *            the password of the new user. If the password is null, then this is accepted but the user can not
 	 *            login, otherwise the password must be validated against
-	 *            {@link PrivilegeHandler#validatePassword(byte[])}
+	 *            {@link PrivilegeHandler#validatePassword(char[])}
 	 * 
 	 * @throws AccessDeniedException
 	 *             if the user for this certificate may not perform the action
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate or if the user does not exist
 	 */
-	public UserRep replaceUser(Certificate certificate, UserRep userRep, byte[] password)
+	public UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password)
 			throws AccessDeniedException, PrivilegeException;
 
 	/**
@@ -481,7 +481,7 @@ public interface PrivilegeHandler {
 	 * <p>
 	 * Changes the password for the {@link User} with the given username. If the password is null, then the {@link User}
 	 * can not login anymore. Otherwise the password must meet the requirements of the implementation under
-	 * {@link PrivilegeHandler#validatePassword(byte[])}
+	 * {@link PrivilegeHandler#validatePassword(char[])}
 	 * </p>
 	 * 
 	 * <p>
@@ -495,14 +495,14 @@ public interface PrivilegeHandler {
 	 * @param password
 	 *            the new password for this user. If the password is null, then the {@link User} can not login anymore.
 	 *            Otherwise the password must meet the requirements of the implementation under
-	 *            {@link PrivilegeHandler#validatePassword(byte[])}
+	 *            {@link PrivilegeHandler#validatePassword(char[])}
 	 * 
 	 * @throws AccessDeniedException
 	 *             if the user for this certificate may not perform the action
 	 * @throws PrivilegeException
 	 *             if there is anything wrong with this certificate
 	 */
-	public void setUserPassword(Certificate certificate, String username, byte[] password)
+	public void setUserPassword(Certificate certificate, String username, char[] password)
 			throws AccessDeniedException, PrivilegeException;
 
 	/**
@@ -575,14 +575,14 @@ public interface PrivilegeHandler {
 	 *            the username of the {@link User} which is registered in the {@link PersistenceHandler}
 	 * @param password
 	 *            the password with which this user is to be authenticated. Null passwords are not accepted and they
-	 *            must meet the requirements of the {@link #validatePassword(byte[])}-method
+	 *            must meet the requirements of the {@link #validatePassword(char[])}-method
 	 * 
 	 * @return a {@link Certificate} with which this user may then perform actions
 	 * 
 	 * @throws AccessDeniedException
 	 *             if the user credentials are not valid
 	 */
-	public Certificate authenticate(String username, byte[] password) throws AccessDeniedException;
+	public Certificate authenticate(String username, char[] password) throws AccessDeniedException;
 
 	/**
 	 * Invalidates the session for the given {@link Certificate}, effectively logging out the user who was authenticated
@@ -630,7 +630,7 @@ public interface PrivilegeHandler {
 	 * @throws PrivilegeException
 	 *             if the password does not implement the requirement of the concrete implementation
 	 */
-	public void validatePassword(byte[] password) throws PrivilegeException;
+	public void validatePassword(char[] password) throws PrivilegeException;
 
 	/**
 	 * <p>

li.strolch.privilege/src/main/java/li/strolch/privilege/helper/PasswordCreaterUI.java

@@ -1,123 +0,0 @@
-/*
- * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
- * 
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *     http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package li.strolch.privilege.helper;
-
-import java.awt.Dimension;
-import java.awt.GridLayout;
-import java.awt.Toolkit;
-import java.awt.event.ActionEvent;
-import java.awt.event.ActionListener;
-import java.awt.event.KeyEvent;
-import java.awt.event.KeyListener;
-
-import javax.swing.JButton;
-import javax.swing.JComboBox;
-import javax.swing.JFrame;
-import javax.swing.JLabel;
-import javax.swing.JPasswordField;
-import javax.swing.JTextField;
-import javax.swing.SwingConstants;
-
-import li.strolch.utils.helper.StringHelper;
-
-/**
- * Simple Swing UI to create passwords
- * 
- * @author Robert von Burg <eitch@eitchnet.ch>
- */
-@SuppressWarnings("nls")
-public class PasswordCreaterUI {
-
-	/**
-	 * Launches the UI
-	 * 
-	 * @param args
-	 *            not used
-	 */
-	public static void main(String[] args) {
-
-		JFrame.setDefaultLookAndFeelDecorated(true);
-
-		JFrame frame = new JFrame();
-		frame.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
-		frame.setTitle("Password creator");
-		frame.setLayout(new GridLayout(4, 2));
-
-		JLabel digest = new JLabel("Digest:", SwingConstants.RIGHT);
-		JLabel password = new JLabel("Password:", SwingConstants.RIGHT);
-		JLabel hash = new JLabel("Hash:", SwingConstants.RIGHT);
-
-		String[] digests = new String[] { "MD2", "MD5", "SHA-1", "SHA-256", "SHA-384", "SHA-512" };
-		final JComboBox<String> digestCombo = new JComboBox<>(digests);
-		digestCombo.setSelectedIndex(3);
-		final JPasswordField passwordField = new JPasswordField();
-		final JTextField hashField = new JTextField(150);
-
-		JButton digestBtn = new JButton("Digest");
-
-		passwordField.addKeyListener(new KeyListener() {
-
-			@Override
-			public void keyTyped(KeyEvent e) {
-				//
-			}
-
-			@Override
-			public void keyReleased(KeyEvent e) {
-				//
-			}
-
-			@Override
-			public void keyPressed(KeyEvent e) {
-				hashField.setText("");
-			}
-		});
-		digestBtn.addActionListener(new ActionListener() {
-
-			@Override
-			public void actionPerformed(ActionEvent e) {
-
-				try {
-					String digest = (String) digestCombo.getSelectedItem();
-					char[] passwordChar = passwordField.getPassword();
-					String password = new String(passwordChar);
-					String hash = StringHelper.hashAsHex(digest, password);
-					hashField.setText(hash);
-				} catch (Exception e1) {
-					e1.printStackTrace();
-					hashField.setText("Failed: " + e1.getLocalizedMessage());
-				}
-			}
-		});
-
-		frame.add(digest);
-		frame.add(digestCombo);
-		frame.add(password);
-		frame.add(passwordField);
-		frame.add(hash);
-		frame.add(hashField);
-		frame.add(new JLabel());
-		frame.add(digestBtn);
-
-		Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize();
-		int width = 500;
-		int height = 160;
-		frame.setSize(width, height);
-		frame.setLocation(screenSize.width / 2 - width, screenSize.height / 2 - height);
-
-		frame.setVisible(true);
-	}
-}

li.strolch.privilege/src/main/java/li/strolch/privilege/helper/PasswordCreator.java

@@ -17,8 +17,12 @@ package li.strolch.privilege.helper;
 
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
-import java.security.MessageDigest;
+import java.util.HashMap;
+import java.util.Map;
 
+import javax.crypto.SecretKeyFactory;
+
+import li.strolch.privilege.handler.DefaultEncryptionHandler;
 import li.strolch.utils.helper.StringHelper;
 
 /**
@@ -26,10 +30,6 @@ import li.strolch.utils.helper.StringHelper;
  * Simple main class which can be used to create a hash from a password which the user must type in at the command line
  * </p>
  * 
- * <p>
- * TODO: Note: currently the password input is echoed which is a security risk
- * </p>
- * 
  * @author Robert von Burg <eitch@eitchnet.ch>
  */
 public class PasswordCreator {
@@ -47,26 +47,82 @@ public class PasswordCreator {
 
 		String hashAlgorithm = null;
 		while (hashAlgorithm == null) {
-			System.out.print("Hash Algorithm [SHA-256]: ");
+			System.out.print("Hash Algorithm [PBKDF2WithHmacSHA512]: ");
 			String readLine = r.readLine().trim();
 
 			if (readLine.isEmpty()) {
-				hashAlgorithm = "SHA-256";
+				hashAlgorithm = "PBKDF2WithHmacSHA512";
 			} else {
 
 				try {
-					MessageDigest.getInstance(readLine);
+					SecretKeyFactory.getInstance(readLine);
 					hashAlgorithm = readLine;
 				} catch (Exception e) {
-					System.out.println(e.getLocalizedMessage());
+					System.err.println(e.getLocalizedMessage());
 					hashAlgorithm = null;
 				}
 			}
 		}
 
-		System.out.print("Password: ");
+		int iterations = -1;
-		String password = r.readLine().trim();
+		while (iterations == -1) {
-		System.out.print("Hash is: " + StringHelper.hashAsHex(hashAlgorithm, password));
+			System.out.print("Hash iterations [200000]: ");
-	}
+			String readLine = r.readLine().trim();
 
+			if (readLine.isEmpty()) {
+				iterations = 200000;
+			} else {
+
+				try {
+					iterations = Integer.parseInt(readLine);
+				} catch (Exception e) {
+					System.err.println(e.getLocalizedMessage());
+					iterations = -1;
+				}
+			}
+		}
+
+		int keyLength = -1;
+		while (keyLength == -1) {
+			System.out.print("Hash keyLength [256]: ");
+			String readLine = r.readLine().trim();
+
+			if (readLine.isEmpty()) {
+				keyLength = 256;
+			} else {
+
+				try {
+					keyLength = Integer.parseInt(readLine);
+					if (keyLength <= 0)
+						throw new IllegalArgumentException("KeyLength must be > 0");
+				} catch (Exception e) {
+					System.err.println(e.getLocalizedMessage());
+					keyLength = -1;
+				}
+			}
+		}
+
+		System.out.print("Password: ");
+		char[] password = r.readLine().trim().toCharArray();
+		System.out.print("Salt: ");
+		String saltS = StringHelper.getHexString(r.readLine().trim().getBytes());
+		byte[] salt = StringHelper.fromHexString(saltS);
+
+		Map<String, String> parameterMap = new HashMap<>();
+		parameterMap.put(XmlConstants.XML_PARAM_HASH_ALGORITHM, hashAlgorithm);
+		parameterMap.put(XmlConstants.XML_PARAM_HASH_ITERATIONS, "" + iterations);
+		parameterMap.put(XmlConstants.XML_PARAM_HASH_KEY_LENGTH, "" + keyLength);
+
+		DefaultEncryptionHandler encryptionHandler = new DefaultEncryptionHandler();
+		encryptionHandler.initialize(parameterMap);
+
+		byte[] passwordHash = encryptionHandler.hashPassword(password, salt);
+		String passwordHashS = StringHelper.getHexString(passwordHash);
+		System.out.println("Hash is: " + passwordHashS);
+		System.out.println("Salt is: " + saltS);
+		System.out.println();
+
+		System.out.println(XmlConstants.XML_ATTR_PASSWORD + "=\"" + passwordHashS + "\" " + XmlConstants.XML_ATTR_SALT
+				+ "=\"" + saltS + "\"");
+	}
 }

li.strolch.privilege/src/main/java/li/strolch/privilege/helper/XmlConstants.java

@@ -233,11 +233,26 @@ public class XmlConstants {
 	 */
 	public static final String XML_ATTR_PASSWORD = "password";
 
+	/**
+	 * XML_ATTR_SALT = "salt" :
+	 */
+	public static final String XML_ATTR_SALT = "salt";
+
 	/**
 	 * XML_PARAM_HASH_ALGORITHM = "hashAlgorithm" :
 	 */
 	public static final String XML_PARAM_HASH_ALGORITHM = "hashAlgorithm";
 
+	/**
+	 * XML_PARAM_HASH_ALGORITHM = "hashAlgorithm" :
+	 */
+	public static final String XML_PARAM_HASH_ITERATIONS = "hashIterations";
+
+	/**
+	 * XML_PARAM_HASH_ALGORITHM = "hashAlgorithm" :
+	 */
+	public static final String XML_PARAM_HASH_KEY_LENGTH = "hashKeyLength";
+
 	/**
 	 * XML_PARAM_USERS_FILE = "usersXmlFile" :
 	 */

li.strolch.privilege/src/main/java/li/strolch/privilege/model/internal/User.java

@@ -43,7 +43,8 @@ public final class User {
 	private final String userId;
 
 	private final String username;
-	private final String password;
+	private final byte[] password;
+	private final byte[] salt;
 
 	private final String firstname;
 	private final String lastname;
@@ -78,7 +79,7 @@ public final class User {
 	 * @param propertyMap
 	 *            a {@link Map} containing string value pairs of properties for this user
 	 */
-	public User(String userId, String username, String password, String firstname, String lastname,
+	public User(String userId, String username, byte[] password, byte[] salt, String firstname, String lastname,
 			UserState userState, Set<String> roles, Locale locale, Map<String, String> propertyMap) {
 
 		if (StringHelper.isEmpty(userId)) {
@@ -107,7 +108,8 @@ public final class User {
 		this.userId = userId;
 
 		this.username = username;
-		this.password = StringHelper.isEmpty(password) ? null : password;
+		this.password = password;
+		this.salt = salt;
 		this.userState = userState;
 
 		this.firstname = firstname;
@@ -148,10 +150,19 @@ public final class User {
 	 * 
 	 * @return the hashed password for this {@link User}
 	 */
-	public String getPassword() {
+	public byte[] getPassword() {
 		return this.password;
 	}
 
+	/**
+	 * Return the salt for this {@link User}
+	 * 
+	 * @return the salt for this {@link User}
+	 */
+	public byte[] getSalt() {
+		return this.salt;
+	}
+
 	/**
 	 * @return the first name
 	 */

li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeUsersDomWriter.java

@@ -59,8 +59,10 @@ public class PrivilegeUsersDomWriter {
 
 			userElement.setAttribute(XmlConstants.XML_ATTR_USER_ID, user.getUserId());
 			userElement.setAttribute(XmlConstants.XML_ATTR_USERNAME, user.getUsername());
-			if (StringHelper.isNotEmpty(user.getPassword()))
+			if (user.getPassword() != null)
-				userElement.setAttribute(XmlConstants.XML_ATTR_PASSWORD, user.getPassword());
+				userElement.setAttribute(XmlConstants.XML_ATTR_PASSWORD, StringHelper.getHexString(user.getPassword()));
+			if (user.getSalt() != null)
+				userElement.setAttribute(XmlConstants.XML_ATTR_SALT, StringHelper.getHexString(user.getSalt()));
 
 			// add first name element
 			if (StringHelper.isNotEmpty(user.getFirstname())) {

li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeUsersSaxReader.java

@@ -35,6 +35,7 @@ import org.xml.sax.helpers.DefaultHandler;
 import li.strolch.privilege.helper.XmlConstants;
 import li.strolch.privilege.model.UserState;
 import li.strolch.privilege.model.internal.User;
+import li.strolch.utils.helper.StringHelper;
 
 /**
  * @author Robert von Burg <eitch@eitchnet.ch>
@@ -114,7 +115,8 @@ public class PrivilegeUsersSaxReader extends DefaultHandler {
 
 		String userId;
 		String username;
-		String password;
+		byte[] password;
+		byte[] salt;
 		String firstName;
 		String lastname;
 		UserState userState;
@@ -135,7 +137,12 @@ public class PrivilegeUsersSaxReader extends DefaultHandler {
 			if (qName.equals(XmlConstants.XML_USER)) {
 				this.userId = attributes.getValue(XmlConstants.XML_ATTR_USER_ID);
 				this.username = attributes.getValue(XmlConstants.XML_ATTR_USERNAME);
-				this.password = attributes.getValue(XmlConstants.XML_ATTR_PASSWORD);
+				String passwordS = attributes.getValue(XmlConstants.XML_ATTR_PASSWORD);
+				if (!StringHelper.isEmpty(passwordS))
+					this.password = StringHelper.fromHexString(passwordS);
+				String saltS = attributes.getValue(XmlConstants.XML_ATTR_SALT);
+				if (!StringHelper.isEmpty(saltS))
+					this.salt = StringHelper.fromHexString(saltS);
 			}
 		}
 
@@ -165,8 +172,8 @@ public class PrivilegeUsersSaxReader extends DefaultHandler {
 				// NO-OP
 			} else if (qName.equals(XmlConstants.XML_USER)) {
 
-				User user = new User(this.userId, this.username, this.password, this.firstName, this.lastname,
+				User user = new User(this.userId, this.username, this.password, this.salt, this.firstName,
-						this.userState, this.userRoles, this.locale, this.parameters);
+						this.lastname, this.userState, this.userRoles, this.locale, this.parameters);
 				logger.info(MessageFormat.format("New User: {0}", user)); //$NON-NLS-1$
 				getUsers().add(user);
 			} else {

li.strolch.privilege/src/test/java/li/strolch/privilege/test/AbstractPrivilegeTest.java

@@ -22,7 +22,7 @@ public class AbstractPrivilegeTest {
 	protected PrivilegeHandler privilegeHandler;
 	protected PrivilegeContext ctx;
 
-	protected void login(String username, byte[] password) {
+	protected void login(String username, char[] password) {
 		Certificate certificate = privilegeHandler.authenticate(username, password);
 		assertTrue("Certificate is null!", certificate != null);
 		PrivilegeContext privilegeContext = privilegeHandler.getPrivilegeContext(certificate);

li.strolch.privilege/src/test/java/li/strolch/privilege/test/PersistSessionsTest.java

@@ -37,7 +37,7 @@ public class PersistSessionsTest extends AbstractPrivilegeTest {
 		assertFalse("Sessions File should no yet exist", sessionsFile.exists());
 
 		// login and assert sessions file was written
-		login("admin", "admin".getBytes());
+		login("admin", "admin".toCharArray());
 		this.privilegeHandler.isCertificateValid(ctx.getCertificate());
 		assertTrue("Sessions File should have been created!", sessionsFile.isFile());
 

li.strolch.privilege/src/test/java/li/strolch/privilege/test/PrivilegeConflictMergeTest.java

@@ -51,7 +51,7 @@ public class PrivilegeConflictMergeTest extends AbstractPrivilegeTest {
 	@Test
 	public void shouldMergePrivileges1() {
 		try {
-			login("userA", "admin".getBytes());
+			login("userA", "admin".toCharArray());
 			IPrivilege privilege = this.ctx.getPrivilege("Foo");
 			assertTrue(privilege.isAllAllowed());
 			assertTrue(privilege.getAllowList().isEmpty());
@@ -65,7 +65,7 @@ public class PrivilegeConflictMergeTest extends AbstractPrivilegeTest {
 	@Test
 	public void shouldMergePrivileges2() {
 		try {
-			login("userB", "admin".getBytes());
+			login("userB", "admin".toCharArray());
 			IPrivilege privilege = this.ctx.getPrivilege("Bar");
 			assertFalse(privilege.isAllAllowed());
 			assertEquals(2, privilege.getAllowList().size());

li.strolch.privilege/src/test/java/li/strolch/privilege/test/PrivilegeTest.java

@@ -70,21 +70,21 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
 	private static final String ROLE_PRIVILEGE_ADMIN = "PrivilegeAdmin";
 	private static final String PRIVILEGE_USER_ACCESS = "UserAccessPrivilege";
 	private static final String ADMIN = "admin";
-	private static final byte[] PASS_ADMIN = "admin".getBytes();
+	private static final char[] PASS_ADMIN = "admin".toCharArray();
 	private static final String BOB = "bob";
 	private static final String TED = "ted";
 	private static final String SYSTEM_USER_ADMIN = "system_admin";
 	private static final String SYSTEM_USER_ADMIN2 = "system_admin2";
-	private static final byte[] PASS_BOB = "admin1".getBytes();
+	private static final char[] PASS_BOB = "admin1".toCharArray();
 	private static final String ROLE_APP_USER = "AppUser";
 	private static final String ROLE_MY = "MyRole";
 	private static final String ROLE_MY2 = "MyRole2";
 	private static final String ROLE_CHANGE_PW = "changePw";
 	private static final String ROLE_TEMP = "temp";
 	private static final String ROLE_USER = "user";
-	private static final byte[] PASS_DEF = "def".getBytes();
+	private static final char[] PASS_DEF = "def".toCharArray();
-	private static final byte[] PASS_BAD = "123".getBytes();
+	private static final char[] PASS_BAD = "123".toCharArray();
-	private static final byte[] PASS_TED = "12345".getBytes();
+	private static final char[] PASS_TED = "12345".toCharArray();
 
 	private static final Logger logger = LoggerFactory.getLogger(PrivilegeTest.class);
 
@@ -223,7 +223,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest {
 		this.exception.expect(AccessDeniedException.class);
 		this.exception.expectMessage("User system_admin is a system user and may not login!");
 		try {
-			login(SYSTEM_USER_ADMIN, SYSTEM_USER_ADMIN.getBytes());
+			login(SYSTEM_USER_ADMIN, SYSTEM_USER_ADMIN.toCharArray());
 		} finally {
 			logout();
 		}

li.strolch.privilege/src/test/java/li/strolch/privilege/test/XmlTest.java

@@ -129,7 +129,7 @@ public class XmlTest {
 
 		assertEquals(6, containerModel.getParameterMap().size());
 		assertEquals(3, containerModel.getPolicies().size());
-		assertEquals(1, containerModel.getEncryptionHandlerParameterMap().size());
+		assertEquals(3, containerModel.getEncryptionHandlerParameterMap().size());
 		assertEquals(3, containerModel.getPersistenceHandlerParameterMap().size());
 
 		// TODO extend assertions to actual model
@@ -184,7 +184,9 @@ public class XmlTest {
 		User admin = findUser("admin", users);
 		assertEquals("1", admin.getUserId());
 		assertEquals("admin", admin.getUsername());
-		assertEquals("8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918", admin.getPassword());
+		assertEquals("cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344",
+				StringHelper.getHexString(admin.getPassword()));
+		assertEquals("61646d696e", StringHelper.getHexString(admin.getSalt()));
 		assertEquals("Application", admin.getFirstname());
 		assertEquals("Administrator", admin.getLastname());
 		assertEquals(UserState.ENABLED, admin.getUserState());
@@ -200,6 +202,7 @@ public class XmlTest {
 		assertEquals("2", systemAdmin.getUserId());
 		assertEquals("system_admin", systemAdmin.getUsername());
 		assertEquals(null, systemAdmin.getPassword());
+		assertEquals(null, systemAdmin.getSalt());
 		assertEquals("System User", systemAdmin.getFirstname());
 		assertEquals("Administrator", systemAdmin.getLastname());
 		assertEquals(UserState.SYSTEM, systemAdmin.getUserState());
@@ -264,9 +267,8 @@ public class XmlTest {
 		Role systemAdminPrivileges = findRole("system_admin_privileges", roles);
 		assertEquals("system_admin_privileges", systemAdminPrivileges.getName());
 		assertEquals(2, systemAdminPrivileges.getPrivilegeNames().size());
-		assertThat(systemAdminPrivileges.getPrivilegeNames(),
+		assertThat(systemAdminPrivileges.getPrivilegeNames(), containsInAnyOrder(
-				containsInAnyOrder("li.strolch.privilege.handler.SystemAction",
+				"li.strolch.privilege.handler.SystemAction", "li.strolch.privilege.test.model.TestSystemRestrictable"));
-						"li.strolch.privilege.test.model.TestSystemRestrictable"));
 
 		IPrivilege testSystemUserAction = systemAdminPrivileges
 				.getPrivilege("li.strolch.privilege.handler.SystemAction");
@@ -288,11 +290,9 @@ public class XmlTest {
 		Role restrictedRole = findRole("restrictedRole", roles);
 		assertEquals("restrictedRole", restrictedRole.getName());
 		assertEquals(1, restrictedRole.getPrivilegeNames().size());
-		assertThat(restrictedRole.getPrivilegeNames(),
+		assertThat(restrictedRole.getPrivilegeNames(), containsInAnyOrder("li.strolch.privilege.handler.SystemAction"));
-				containsInAnyOrder("li.strolch.privilege.handler.SystemAction"));
 
-		IPrivilege testSystemUserAction2 = restrictedRole
+		IPrivilege testSystemUserAction2 = restrictedRole.getPrivilege("li.strolch.privilege.handler.SystemAction");
-				.getPrivilege("li.strolch.privilege.handler.SystemAction");
 		assertEquals("li.strolch.privilege.handler.SystemAction", testSystemUserAction2.getName());
 		assertEquals("DefaultPrivilege", testSystemUserAction2.getPolicy());
 		assertFalse(testSystemUserAction2.isAllAllowed());
@@ -341,16 +341,16 @@ public class XmlTest {
 		propertyMap.put("prop1", "value1");
 		userRoles = new HashSet<>();
 		userRoles.add("role1");
-		User user1 = new User("1", "user1", "blabla", "Bob", "White", UserState.DISABLED, userRoles, Locale.ENGLISH,
+		User user1 = new User("1", "user1", "blabla".getBytes(), "blabla".getBytes(), "Bob", "White",
-				propertyMap);
+				UserState.DISABLED, userRoles, Locale.ENGLISH, propertyMap);
 		users.add(user1);
 
 		propertyMap = new HashMap<>();
 		propertyMap.put("prop2", "value2");
 		userRoles = new HashSet<>();
 		userRoles.add("role2");
-		User user2 = new User("2", "user2", "haha", "Leonard", "Sheldon", UserState.ENABLED, userRoles, Locale.ENGLISH,
+		User user2 = new User("2", "user2", "haha".getBytes(), "haha".getBytes(), "Leonard", "Sheldon",
-				propertyMap);
+				UserState.ENABLED, userRoles, Locale.ENGLISH, propertyMap);
 		users.add(user2);
 
 		File modelFile = new File("./target/test/PrivilegeUsersTest.xml");
@@ -370,7 +370,8 @@ public class XmlTest {
 		assertEquals(user1.getFirstname(), parsedUser1.getFirstname());
 		assertEquals(user1.getLastname(), parsedUser1.getLastname());
 		assertEquals(user1.getLocale(), parsedUser1.getLocale());
-		assertEquals(user1.getPassword(), parsedUser1.getPassword());
+		assertTrue(Arrays.equals(user1.getPassword(), parsedUser1.getPassword()));
+		assertTrue(Arrays.equals(user1.getSalt(), parsedUser1.getSalt()));
 		assertEquals(user1.getProperties(), parsedUser1.getProperties());
 		assertEquals(user1.getUserId(), parsedUser1.getUserId());
 		assertEquals(user1.getUserState(), parsedUser1.getUserState());
@@ -379,7 +380,8 @@ public class XmlTest {
 		assertEquals(user2.getFirstname(), parsedUser2.getFirstname());
 		assertEquals(user2.getLastname(), parsedUser2.getLastname());
 		assertEquals(user2.getLocale(), parsedUser2.getLocale());
-		assertEquals(user2.getPassword(), parsedUser2.getPassword());
+		assertTrue(Arrays.equals(user2.getPassword(), parsedUser2.getPassword()));
+		assertTrue(Arrays.equals(user2.getSalt(), parsedUser2.getSalt()));
 		assertEquals(user2.getProperties(), parsedUser2.getProperties());
 		assertEquals(user2.getUserId(), parsedUser2.getUserId());
 		assertEquals(user2.getUserState(), parsedUser2.getUserState());

li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java

@@ -138,7 +138,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St
 	}
 
 	@Override
-	public Certificate authenticate(String username, byte[] password) {
+	public Certificate authenticate(String username, char[] password) {
 		DBC.PRE.assertNotEmpty("Username must be set!", username); //$NON-NLS-1$
 		DBC.PRE.assertNotNull("Passwort must be set", password); //$NON-NLS-1$
 

li.strolch.rest/src/main/java/li/strolch/rest/StrolchSessionHandler.java

@@ -28,7 +28,7 @@ import li.strolch.rest.model.UserSession;
  */
 public interface StrolchSessionHandler {
 
-	public Certificate authenticate(String username, byte[] password);
+	public Certificate authenticate(String username, char[] password);
 
 	public Certificate validate(String authToken);
 

li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java

@@ -92,7 +92,8 @@ public class AuthenticationService {
 				sb.append("Password was not given!"); //$NON-NLS-1$
 			}
 
-			byte[] password = passwordE == null ? new byte[] {} : Base64.getDecoder().decode(passwordE.getAsString());
+			char[] password = passwordE == null ? new char[] {}
+					: new String(Base64.getDecoder().decode(passwordE.getAsString())).toCharArray();
 			if (password.length < 3) {
 				if (sb.length() > 0)
 					sb.append("\n");
@@ -295,7 +296,7 @@ public class AuthenticationService {
 				String msg = "Authorization cookie is secure, but connection is not secure! Cookie won't be passed to client!";
 				logger.warn(msg);
 			}
-			
+
 			NewCookie cookie = new NewCookie(StrolchRestfulConstants.STROLCH_AUTHORIZATION, certificate.getAuthToken(),
 					"/", null, "Authorization header", (int) TimeUnit.DAYS.toSeconds(1), secureCookie);
 

li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java

@@ -360,7 +360,7 @@ public class PrivilegeUsersService {
 		PrivilegeSetUserPasswordService svc = new PrivilegeSetUserPasswordService();
 		PrivilegeSetUserPasswordArgument arg = new PrivilegeSetUserPasswordArgument();
 		arg.username = username;
-		arg.password = Base64.getDecoder().decode(password);
+		arg.password = new String(Base64.getDecoder().decode(password)).toCharArray();
 
 		ServiceResult svcResult = svcHandler.doService(cert, svc, arg);
 		if (svcResult.isOk()) {

li.strolch.rest/src/test/resources/withPrivilegeRuntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.rest/src/test/resources/withPrivilegeRuntime/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="1" username="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918">
+	<User userId="1" username="admin" password="cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344" salt="61646d696e">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -20,7 +20,7 @@
 		</Properties>
 	</User>
 
-	<User userId="2" username="bob" password="81b637d8fcd2c6da6359e6963113a1170de795e4b725b84d1e0b4cfd9ec58ce9">
+	<User userId="2" username="bob" password="d4466de3cad2a005930c4317ad0fcb307422c63b8febd5d7721195cd511edde5" salt="626f62">
 		<Firstname>Bob</Firstname>
 		<Lastname>Bernstein</Lastname>
 		<State>ENABLED</State>
@@ -30,7 +30,7 @@
 		</Roles>
 
 	</User>
-	<User userId="3" username="jill" password="8cf37351b60f00084392043ce2e6256b96cea92949f90c7abce464cf164fbfa6">
+	<User userId="3" username="jill" password="b7d33c8305bf89ed21be111270310a7450198be8be6b362e52999c2500eb5218" salt="6a696c6c">
 		<Firstname>Jill</Firstname>
 		<Lastname>Johnson</Lastname>
 		<State>ENABLED</State>
@@ -40,7 +40,7 @@
 		</Roles>
 
 	</User>
-	<User userId="4" username="sysAdmin" password="8cffb494ef5ff3f74a571206e141d4fb84f833e431b98c8b3be43727c4cbddc1">
+	<User userId="4" username="sysAdmin" password="fd6a5e8f6a59fbb18109444c5ea99ac326353cd664cc8d61a3a785081e7f4aa0" salt="73797341646d696e">
 		<Firstname>System User</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>SYSTEM</State>

li.strolch.service/src/main/java/li/strolch/service/privilege/users/PrivilegeSetUserPasswordArgument.java

@@ -20,5 +20,5 @@ import li.strolch.service.api.ServiceArgument;
 public class PrivilegeSetUserPasswordArgument extends ServiceArgument {
 	private static final long serialVersionUID = 1L;
 	public String username;
-	public byte[] password;
+	public char[] password;
 }

li.strolch.service/src/test/java/li/strolch/command/AbstractRealmCommandTest.java

@@ -65,7 +65,7 @@ public abstract class AbstractRealmCommandTest {
 		runtimeMock.mockRuntime(rootPath, configSrc);
 		runtimeMock.startContainer();
 
-		certificate = runtimeMock.getPrivilegeHandler().authenticate(getUsername(), "test".getBytes());
+		certificate = runtimeMock.getPrivilegeHandler().authenticate(getUsername(), getUsername().toCharArray());
 		importFromXml(REALM_CACHED, certificate, getServiceHandler());
 		importFromXml(REALM_TRANSACTIONAL, certificate, getServiceHandler());
 	}

li.strolch.service/src/test/java/li/strolch/migrations/MigrationsTest.java

@@ -56,7 +56,7 @@ public class MigrationsTest {
 		runtimeMock.mockRuntime(rootPath, configSrc);
 		runtimeMock.startContainer();
 
-		certificate = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		certificate = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 	}
 
 	@AfterClass

li.strolch.service/src/test/java/li/strolch/service/test/AbstractRealmServiceTest.java

@@ -75,7 +75,7 @@ public abstract class AbstractRealmServiceTest {
 		runtimeMock.mockRuntime(rootPath, configSrc);
 		runtimeMock.startContainer();
 
-		this.certificate = runtimeMock.getPrivilegeHandler().authenticate(getUsername(), "test".getBytes());
+		this.certificate = runtimeMock.getPrivilegeHandler().authenticate(getUsername(), getUsername().toCharArray());
 		importFromXml(REALM_CACHED, this.certificate, getServiceHandler());
 		importFromXml(REALM_TRANSACTIONAL, this.certificate, getServiceHandler());
 	}

li.strolch.service/src/test/java/li/strolch/service/test/GreetingServiceTest.java

@@ -37,7 +37,7 @@ public class GreetingServiceTest extends AbstractServiceTest {
 		GreetingArgument greetingArgument = new GreetingArgument();
 		greetingArgument.name = "Robert"; //$NON-NLS-1$
 
-		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".getBytes()); //$NON-NLS-1$//$NON-NLS-2$
+		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
 		try {
 			GreetingResult greetingResult = getServiceHandler().doService(certificate, greetingService,
 					greetingArgument);

li.strolch.service/src/test/java/li/strolch/service/test/LockingTest.java

@@ -72,7 +72,7 @@ public class LockingTest {
 	}
 
 	public static Certificate login() {
-		return runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		return runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 	}
 
 	@Test

li.strolch.service/src/test/java/li/strolch/service/test/ServiceTest.java

@@ -74,7 +74,7 @@ public class ServiceTest extends AbstractServiceTest {
 	@Test
 	public void shouldFailWithNoAccess() {
 
-		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".getBytes()); //$NON-NLS-1$//$NON-NLS-2$
+		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
 		try {
 			TestService testService = new TestService();
 			ServiceResult svcResult = getServiceHandler().doService(certificate, testService);
@@ -88,7 +88,7 @@ public class ServiceTest extends AbstractServiceTest {
 
 	@Test
 	public void shouldNotFailWithAccess() {
-		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".getBytes()); //$NON-NLS-1$//$NON-NLS-2$
+		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
 		try {
 			GreetingService service = new GreetingService();
 			GreetingArgument argument = new GreetingArgument();
@@ -103,7 +103,7 @@ public class ServiceTest extends AbstractServiceTest {
 	@Test
 	public void shouldNotFailWithLogin1() {
 
-		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".getBytes()); //$NON-NLS-1$//$NON-NLS-2$
+		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
 		try {
 			TestService testService = new TestService();
 			getServiceHandler().doService(certificate, testService);
@@ -114,7 +114,7 @@ public class ServiceTest extends AbstractServiceTest {
 
 	@Test
 	public void shouldNotFailWithLogin2() {
-		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".getBytes()); //$NON-NLS-1$//$NON-NLS-2$
+		Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$
 		try {
 			GreetingService service = new GreetingService();
 			GreetingArgument argument = new GreetingArgument();

li.strolch.service/src/test/java/li/strolch/service/test/XmlExportServiceTest.java

@@ -54,7 +54,7 @@ public class XmlExportServiceTest {
 		runtimeMock.mockRuntime(rootPath, configSrc);
 		runtimeMock.startContainer();
 
-		certificate = runtimeMock.getPrivilegeHandler().authenticate("test", "test".getBytes());
+		certificate = runtimeMock.getPrivilegeHandler().authenticate("test", "test".toCharArray());
 	}
 
 	@AfterClass

li.strolch.service/src/test/resources/executiontest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.service/src/test/resources/executiontest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="3" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="3" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.service/src/test/resources/migrationstest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.service/src/test/resources/migrationstest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.service/src/test/resources/reporttest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.service/src/test/resources/reporttest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="3" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="3" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.service/src/test/resources/svctest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.service/src/test/resources/svctest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="3" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="3" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>
@@ -15,7 +15,7 @@
 			<Role>AppUser</Role>
 		</Roles>
 	</User>
-	<User userId="3" username="admin" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="3" username="admin" password="cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344" salt="61646d696e">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.service/src/test/resources/transienttest/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>
 

li.strolch.service/src/test/resources/transienttest/config/PrivilegeUsers.xml

@@ -6,7 +6,7 @@
 			<Role>agent</Role>
 		</Roles>
 	</User>
-	<User userId="2" username="test" password="9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08">
+	<User userId="2" username="test" password="fdd9d2def3475e1d5cc87107b87e14fd6adbca664c2874fc379a1e53931c0428" salt="74657374">
 		<Firstname>Application</Firstname>
 		<Lastname>Administrator</Lastname>
 		<State>ENABLED</State>

li.strolch.service/src/test/resources/withPrivilegeRuntime/config/PrivilegeConfig.xml

@@ -10,7 +10,13 @@
 
 		<EncryptionHandler class="li.strolch.privilege.handler.DefaultEncryptionHandler">
 			<Parameters>
-				<Parameter name="hashAlgorithm" value="SHA-256" />
+				<!-- WARNING: If you change iterations or keyLength, then all passwords are invalid -->
+				<!-- default algorithm is: PBKDF2WithHmacSHA512 -->
+				<Parameter name="hashAlgorithm" value="PBKDF2WithHmacSHA512" />
+				<!-- default iterations: 200000 -->
+				<Parameter name="hashIterations" value="10000" />
+				<!-- default key length: 256 -->
+				<Parameter name="hashKeyLength" value="256" />
 			</Parameters>
 		</EncryptionHandler>