diff --git a/src/main/java/org/radarbase/management/config/OAuth2ServerConfiguration.java b/src/main/java/org/radarbase/management/config/OAuth2ServerConfiguration.java
index 562e58057..87c9bdcab 100644
--- a/src/main/java/org/radarbase/management/config/OAuth2ServerConfiguration.java
+++ b/src/main/java/org/radarbase/management/config/OAuth2ServerConfiguration.java
@@ -26,6 +26,7 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
@@ -59,6 +60,9 @@ public class OAuth2ServerConfiguration {
     @Autowired
     private DataSource dataSource;
 
+    @Autowired
+    private PasswordEncoder passwordEncoder;
+
     @Configuration
     @Order(-20)
     protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@@ -87,7 +91,7 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception {
     @Bean
     public JdbcClientDetailsService jdbcClientDetailsService() {
         JdbcClientDetailsService clientDetailsService = new JdbcClientDetailsService(dataSource);
-        clientDetailsService.setPasswordEncoder(new BCryptPasswordEncoder());
+        clientDetailsService.setPasswordEncoder(passwordEncoder);
         return clientDetailsService;
     }
 
diff --git a/src/main/java/org/radarbase/management/config/SecurityConfiguration.java b/src/main/java/org/radarbase/management/config/SecurityConfiguration.java
index 1c3e4c797..058d76dab 100644
--- a/src/main/java/org/radarbase/management/config/SecurityConfiguration.java
+++ b/src/main/java/org/radarbase/management/config/SecurityConfiguration.java
@@ -22,7 +22,6 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
@@ -39,21 +38,30 @@
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
-    @Autowired
-    private AuthenticationManagerBuilder authenticationManagerBuilder;
+    private final AuthenticationManagerBuilder authenticationManagerBuilder;
 
-    @Autowired
-    private UserDetailsService userDetailsService;
+    private final UserDetailsService userDetailsService;
+
+    private final ApplicationEventPublisher applicationEventPublisher;
+    private final PasswordEncoder passwordEncoder;
 
     @Autowired
-    private ApplicationEventPublisher applicationEventPublisher;
+    public SecurityConfiguration(AuthenticationManagerBuilder authenticationManagerBuilder,
+            UserDetailsService userDetailsService,
+            ApplicationEventPublisher applicationEventPublisher,
+            PasswordEncoder passwordEncoder) {
+        this.authenticationManagerBuilder = authenticationManagerBuilder;
+        this.userDetailsService = userDetailsService;
+        this.applicationEventPublisher = applicationEventPublisher;
+        this.passwordEncoder = passwordEncoder;
+    }
 
     @PostConstruct
     public void init() {
         try {
             authenticationManagerBuilder
                     .userDetailsService(userDetailsService)
-                    .passwordEncoder(passwordEncoder())
+                    .passwordEncoder(passwordEncoder)
                     .and()
                     .authenticationProvider(new RadarAuthenticationProvider())
                     .authenticationEventPublisher(
@@ -73,13 +81,8 @@ public Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint() {
         return new Http401UnauthorizedEntryPoint();
     }
 
-    @Bean
-    public PasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
-    }
-
     @Override
-    public void configure(WebSecurity web) throws Exception {
+    public void configure(WebSecurity web) {
         web.ignoring()
                 .antMatchers(HttpMethod.OPTIONS, "/**")
                 .antMatchers("/app/**/*.{js,html}")
diff --git a/src/main/java/org/radarbase/management/config/WebConfigurer.java b/src/main/java/org/radarbase/management/config/WebConfigurer.java
index 86dfebf22..22fa5683f 100644
--- a/src/main/java/org/radarbase/management/config/WebConfigurer.java
+++ b/src/main/java/org/radarbase/management/config/WebConfigurer.java
@@ -11,6 +11,8 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;
 import org.springframework.core.env.Profiles;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;
@@ -126,6 +128,11 @@ public CorsFilter corsFilter() {
         return new CorsFilter(source);
     }
 
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
     /**
      * Initializes H2 console.
      */