diff --git a/docs/content/development/extensions-core/druid-basic-security.md b/docs/content/development/extensions-core/druid-basic-security.md
index c0f9d054bc12f99e2dd25046bd544e1e0b8a3d69..d1d044b23401c66896178dbd485d73200b856319 100644
--- a/docs/content/development/extensions-core/druid-basic-security.md
+++ b/docs/content/development/extensions-core/druid-basic-security.md
@@ -53,8 +53,8 @@ The configuration examples in the rest of this document will use "MyBasicAuthent
 #### Properties
 |Property|Description|Default|required|
 |--------|-----------|-------|--------|
-|`druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword`|Initial password for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will affect its password.|null|No|
-|`druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword`|Initial password for the default internal system user, used for internal node communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will affect its password.|null|No|
+|`druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.html) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
+|`druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.html) for the default internal system user, used for internal node communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
 |`druid.auth.authenticator.MyBasicAuthenticator.enableCacheNotifications`|If true, the coordinator will notify Druid nodes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
 |`druid.auth.authenticator.MyBasicAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
 |`druid.auth.authenticator.MyBasicAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No|
diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java
index 22d078498e4985bb765673de87bca689fe155f49..7e084cb63bebffd189ce94598830217053ec2888 100644
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java
@@ -19,19 +19,21 @@
 
 package org.apache.druid.security.basic;
 
+import org.apache.druid.metadata.PasswordProvider;
+
 public class BasicAuthDBConfig
 {
   public static final long DEFAULT_CACHE_NOTIFY_TIMEOUT_MS = 5000;
 
-  private final String initialAdminPassword;
-  private final String initialInternalClientPassword;
+  private final PasswordProvider initialAdminPassword;
+  private final PasswordProvider initialInternalClientPassword;
   private final boolean enableCacheNotifications;
   private final long cacheNotificationTimeout;
   private final int iterations;
 
   public BasicAuthDBConfig(
-      final String initialAdminPassword,
-      final String initialInternalClientPassword,
+      final PasswordProvider initialAdminPassword,
+      final PasswordProvider initialInternalClientPassword,
       final Boolean enableCacheNotifications,
       final Long cacheNotificationTimeout,
       final int iterations
@@ -44,12 +46,12 @@ public class BasicAuthDBConfig
     this.iterations = iterations;
   }
 
-  public String getInitialAdminPassword()
+  public PasswordProvider getInitialAdminPassword()
   {
     return initialAdminPassword;
   }
 
-  public String getInitialInternalClientPassword()
+  public PasswordProvider getInitialInternalClientPassword()
   {
     return initialInternalClientPassword;
   }
diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java
index 7e495eb03df86143114d1a9d03e8af92e0d65b49..71d927dc773f8c6fd11b7a78ad4b4ae412eb8b07 100644
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java
@@ -25,6 +25,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeName;
 import com.google.inject.Provider;
 import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.metadata.PasswordProvider;
 import org.apache.druid.security.basic.BasicAuthDBConfig;
 import org.apache.druid.security.basic.BasicAuthUtils;
 import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
@@ -62,8 +63,8 @@ public class BasicHTTPAuthenticator implements Authenticator
       @JacksonInject Provider<BasicAuthenticatorCacheManager> cacheManager,
       @JsonProperty("name") String name,
       @JsonProperty("authorizerName") String authorizerName,
-      @JsonProperty("initialAdminPassword") String initialAdminPassword,
-      @JsonProperty("initialInternalClientPassword") String initialInternalClientPassword,
+      @JsonProperty("initialAdminPassword") PasswordProvider initialAdminPassword,
+      @JsonProperty("initialInternalClientPassword") PasswordProvider initialInternalClientPassword,
       @JsonProperty("enableCacheNotifications") Boolean enableCacheNotifications,
       @JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout,
       @JsonProperty("credentialIterations") Integer credentialIterations
diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java
index 442c23385e1d8a69494b2893778e8d76ee02e41f..941b4a38a0e419cbf90b2eaf93acc5cf41b873ea 100644
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java
@@ -138,7 +138,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
                 authenticatorName,
                 BasicAuthUtils.ADMIN_NAME,
                 new BasicAuthenticatorCredentialUpdate(
-                    dbConfig.getInitialAdminPassword(),
+                    dbConfig.getInitialAdminPassword().getPassword(),
                     BasicAuthUtils.DEFAULT_KEY_ITERATIONS
                 )
             );
@@ -151,7 +151,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
                 authenticatorName,
                 BasicAuthUtils.INTERNAL_USER_NAME,
                 new BasicAuthenticatorCredentialUpdate(
-                    dbConfig.getInitialInternalClientPassword(),
+                    dbConfig.getInitialInternalClientPassword().getPassword(),
                     BasicAuthUtils.DEFAULT_KEY_ITERATIONS
                 )
             );
diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java
index 90796b394dcbc126889cfe40ab2dc96f7d1a519a..782c9dd211168ac08b098dbf89b19031c4d8c765 100644
--- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java
+++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java
@@ -23,6 +23,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.inject.Provider;
 import com.google.inject.util.Providers;
 import org.apache.druid.java.util.common.StringUtils;
+import org.apache.druid.metadata.DefaultPasswordProvider;
 import org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator;
 import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
 import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
@@ -71,8 +72,8 @@ public class BasicHTTPAuthenticatorTest
       CACHE_MANAGER_PROVIDER,
       "basic",
       "basic",
-      "a",
-      "a",
+      new DefaultPasswordProvider("a"),
+      new DefaultPasswordProvider("a"),
       false,
       null,
       null
diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
index 72f1c2fba3d375f4859b87ead491caaa898ddc21..dff71e376de08567385d81f24fbefefb82db63b8 100644
--- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
+++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
@@ -23,6 +23,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.smile.SmileFactory;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import org.apache.druid.metadata.DefaultPasswordProvider;
 import org.apache.druid.metadata.MetadataStorageTablesConfig;
 import org.apache.druid.metadata.TestDerbyConnector;
 import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
@@ -83,8 +84,8 @@ public class CoordinatorBasicAuthenticatorResourceTest
                 null,
                 AUTHENTICATOR_NAME,
                 "test",
-                "druid",
-                "druid",
+                new DefaultPasswordProvider("druid"),
+                new DefaultPasswordProvider("druid"),
                 null,
                 null,
                 null
@@ -94,8 +95,8 @@ public class CoordinatorBasicAuthenticatorResourceTest
                 null,
                 AUTHENTICATOR_NAME2,
                 "test",
-                "druid",
-                "druid",
+                new DefaultPasswordProvider("druid"),
+                new DefaultPasswordProvider("druid"),
                 null,
                 null,
                 null