IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"

This is an in-memory users setup for a Spring Security demo that I'm using since Spring 4:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;

 * Security Config.
 * Defines spring security beans and configurations.
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    public void configureGlobal(AuthenticationManagerBuilder authBuilder) throws Exception {

Lately, I upgrading this project to Spring 5, and during login, I encountered this issue:

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"$UnmappedIdPasswordEncoder.matches($LazyPasswordEncoder.matches(

Searching the internet, the solution for this issue is quite simple, and well documented here. Prior to Spring Security 5.0 the default PasswordEncoder was NoOpPasswordEncoder which required plain text passwords.

Spring Security 5.0 defaulted to DelegatingPasswordEncoder which:

  • Ensuring that passwords are encoded using the current password storage recommendations
  • Allowing for validating passwords in modern and legacy formats
  • Allowing for upgrading the encoding in the future

"Password storage recommendations" refer to Password Storage Format, which generally following this format:


id is an identifier used to look up which PasswordEncoder should be used and encodedPassword is the original encoded password for the selected PasswordEncoder. Here list of id for different PasswordEncoder:

noopNoOpPasswordEncoderplain text password
bcryptBCryptPasswordEncoderbcrypt is a password hashing function based on the Blowfish cipher
pbkdf2Pbkdf2PasswordEncoderPBKDF2 (Password-Based Key Derivation Function 2) are key derivation functions with a sliding computational cost, used to reduce vulnerabilities to brute force attacks
scryptSCryptPasswordEncoderscrypt (pronounced "ess crypt") is a password-based key derivation function (algorithm) that specifically designed to make large-scale custom hardware attacks costly by requiring large amounts of memory
sha256StandardPasswordEncoderSHA-256 — part of SHA-2 (Secure Hash Algorithm 2) family, is novel hash functions computed with 32-bit words.

In our case id should be noop which refer to NoOpPasswordEncoder, and the original encoded password is in plain text format. So we need to change it like this:


NullPointerException InMemoryUserDetailsManager.updatePassword

After change, I encountered this error when running my web application, after login:


To "fix" this issue, what I need to do is only upgrade my Spring Security from 5.1.1.RELEASE to 5.2.1.RELEASE. Please refer to