diff --git a/backend/backend.go b/backend/backend.go
index fb3e23378a0c5357ca6c7c2463e63c8ce9285874..653f0a9483e8bd848194902aa8cbbe9bef94b10d 100644
--- a/backend/backend.go
+++ b/backend/backend.go
@@ -16,7 +16,7 @@ type User struct {
 	Name                  string
 	Email                 string
 	Shard                 string
-	EncryptedPassword     []byte
+	EncryptedPassword     string
 	TOTPSecret            string
 	WebAuthnRegistrations []webauthn.Credential
 	AppSpecificPasswords  []*AppSpecificPassword
@@ -27,7 +27,7 @@ type User struct {
 type AppSpecificPassword struct {
 	ID                string
 	Service           string
-	EncryptedPassword []byte
+	EncryptedPassword string
 }
 
 // Has2FA returns true if the user supports any interactive 2FA method.
diff --git a/backend/file/file.go b/backend/file/file.go
index 1ad06107c422495d3b255017a99fdcbd2c1d85b3..7a30fa7e1abe8ed92605afa48e0c76a4da57a06e 100644
--- a/backend/file/file.go
+++ b/backend/file/file.go
@@ -55,7 +55,7 @@ func (f *fileUser) toUser(filename string) *backend.User {
 		Name:              f.Name,
 		Email:             f.Email,
 		Shard:             f.Shard,
-		EncryptedPassword: []byte(f.EncryptedPassword),
+		EncryptedPassword: f.EncryptedPassword,
 		TOTPSecret:        f.TOTPSecret,
 		Groups:            f.Groups,
 	}
@@ -64,7 +64,7 @@ func (f *fileUser) toUser(filename string) *backend.User {
 		u.AppSpecificPasswords = append(u.AppSpecificPasswords, &backend.AppSpecificPassword{
 			ID:                asp.ID,
 			Service:           asp.Service,
-			EncryptedPassword: []byte(asp.EncryptedPassword),
+			EncryptedPassword: asp.EncryptedPassword,
 		})
 	}
 
diff --git a/backend/ldap/ldap.go b/backend/ldap/ldap.go
index fdad60ca9e743bfca04c229fabca86d67f692304..6c70b7f7b529414e4a2f35b93c2187390d4ec026 100644
--- a/backend/ldap/ldap.go
+++ b/backend/ldap/ldap.go
@@ -9,8 +9,8 @@ import (
 
 	ldaputil "git.autistici.org/ai3/go-common/ldap"
 	ct "git.autistici.org/ai3/go-common/ldap/compositetypes"
-	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/go-ldap/ldap/v3"
+	"github.com/go-webauthn/webauthn/webauthn"
 	"gopkg.in/yaml.v3"
 
 	"git.autistici.org/id/auth/backend"
@@ -72,7 +72,7 @@ func decodeAppSpecificPasswordList(encodedAsps []string) []*backend.AppSpecificP
 			out = append(out, &backend.AppSpecificPassword{
 				ID:                p.ID,
 				Service:           p.Service,
-				EncryptedPassword: []byte(p.EncryptedPassword),
+				EncryptedPassword: p.EncryptedPassword,
 			})
 		}
 	}
@@ -245,7 +245,7 @@ func (b *ldapServiceBackend) userFromResponse(username string, result *ldap.Sear
 		Name:                  username,
 		Email:                 getStringFromLDAPEntry(entry, b.attrs["email"]),
 		Shard:                 getStringFromLDAPEntry(entry, b.attrs["shard"]),
-		EncryptedPassword:     []byte(dropCryptPrefix(getStringFromLDAPEntry(entry, b.attrs["password"]))),
+		EncryptedPassword:     dropCryptPrefix(getStringFromLDAPEntry(entry, b.attrs["password"])),
 		TOTPSecret:            getStringFromLDAPEntry(entry, b.attrs["totp_secret"]),
 		AppSpecificPasswords:  decodeAppSpecificPasswordList(getListFromLDAPEntry(entry, b.attrs["app_specific_password"])),
 		WebAuthnRegistrations: decodeU2FRegistrationList(getListFromLDAPEntry(entry, b.attrs["u2f_registration"])),
@@ -277,8 +277,7 @@ func mustEscape(c byte) bool {
 // special characters in the 'escaped' set and those out of the range
 // 0 < c < 0x80, as defined in RFC4515.
 //
-//  escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
-//
+//	escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
 func escapeDN(s string) string {
 	escape := 0
 	for i := 0; i < len(s); i++ {
diff --git a/protocol.go b/protocol.go
index 0df709d023f600cdae1fa7f19635d72e66576d3e..90d8320b4f66b7bc528ef171d74a96c023e94baa 100644
--- a/protocol.go
+++ b/protocol.go
@@ -16,7 +16,7 @@ import (
 type Request struct {
 	Service          string
 	Username         string
-	Password         []byte
+	Password         string
 	OTP              string
 	WebAuthnSession  *webauthn.SessionData
 	WebAuthnResponse *protocol.ParsedCredentialAssertionData
@@ -26,7 +26,7 @@ type Request struct {
 func (r *Request) EncodeToMap(m map[string]string, prefix string) {
 	m[prefix+"service"] = r.Service
 	m[prefix+"username"] = r.Username
-	m[prefix+"password"] = string(r.Password)
+	m[prefix+"password"] = r.Password
 
 	if r.OTP != "" {
 		m[prefix+"otp"] = r.OTP
@@ -47,7 +47,7 @@ func (r *Request) EncodeToMap(m map[string]string, prefix string) {
 func (r *Request) DecodeFromMap(m map[string]string, prefix string) {
 	r.Service = m[prefix+"service"]
 	r.Username = m[prefix+"username"]
-	r.Password = []byte(m[prefix+"password"])
+	r.Password = m[prefix+"password"]
 	r.OTP = m[prefix+"otp"]
 	if s := m[prefix+"webauthn_session"]; s != "" {
 		var sess webauthn.SessionData
diff --git a/protocol_test.go b/protocol_test.go
index 2d11004257e1e02e911efa7bd7bbe3c9e6838de8..0dd9dfe73717141e0fd517a088a01dea9f3f469e 100644
--- a/protocol_test.go
+++ b/protocol_test.go
@@ -16,7 +16,7 @@ func TestProtocol_SerializeRequest(t *testing.T) {
 	req := &Request{
 		Service:  "service",
 		Username: "username",
-		Password: []byte("password"),
+		Password: "password",
 		OTP:      "123456",
 		WebAuthnSession: &webauthn.SessionData{
 			Challenge: "challenge",
diff --git a/server/authserver.go b/server/authserver.go
index e97ca0c2d21a80ce4764411893de047ad8df716d..6d9279d9c5acf34f674826719d5b25b0a3574f20 100644
--- a/server/authserver.go
+++ b/server/authserver.go
@@ -589,8 +589,8 @@ func (s *Server) finishWebAuthnLogin(user *backend.User, sessionData *webauthn.S
 	return hex.EncodeToString(cred.ID), nil
 }
 
-func checkPassword(password, hash []byte) bool {
-	return pwhash.ComparePassword(string(hash), string(password))
+func checkPassword(password, hash string) bool {
+	return pwhash.ComparePassword(hash, password)
 }
 
 func (s *Server) checkOTP(user *backend.User, otp, secret string) bool {
diff --git a/server/authserver_test.go b/server/authserver_test.go
index 85772472964c70fe86fbc55bc5f7af38a755ecfd..7f226ea924957f5a675058de4c732eb42043ffb4 100644
--- a/server/authserver_test.go
+++ b/server/authserver_test.go
@@ -241,7 +241,7 @@ func runAuthenticationTest(t *testing.T, client client.Client) {
 		resp, err := client.Authenticate(context.Background(), &auth.Request{
 			Service:  td.service,
 			Username: td.username,
-			Password: []byte(td.password),
+			Password: td.password,
 		})
 		if err != nil {
 			t.Errorf("transport error: %v", err)
@@ -272,7 +272,7 @@ func runAuthenticationTest(t *testing.T, client client.Client) {
 			Service:  "interactive",
 			Username: td.username,
 			OTP:      td.otp,
-			Password: []byte(td.password),
+			Password: td.password,
 		})
 		if err != nil {
 			t.Errorf("transport error: %v", err)
@@ -319,13 +319,13 @@ func TestAuthServer_Blacklist(t *testing.T) {
 		c.Authenticate(context.Background(), &auth.Request{
 			Service:  "test",
 			Username: "testuser",
-			Password: []byte("bad_password"),
+			Password: "bad_password",
 		})
 	}
 	resp, _ := c.Authenticate(context.Background(), &auth.Request{
 		Service:  "test",
 		Username: "testuser",
-		Password: []byte("password"),
+		Password: "password",
 	})
 	if resp.Status != auth.StatusError {
 		t.Fatalf("user was not blacklisted: %v", resp)
@@ -345,7 +345,7 @@ func TestAuthServer_Blacklist_UnknownUser(t *testing.T) {
 		c.Authenticate(context.Background(), &auth.Request{
 			Service:  "test",
 			Username: fmt.Sprintf("nonexistinguser%d", i),
-			Password: []byte("bad_password"),
+			Password: "bad_password",
 			DeviceInfo: &usermetadb.DeviceInfo{
 				RemoteAddr: "1.2.3.4",
 			},
@@ -371,13 +371,13 @@ func TestAuthServer_Blacklist_BelowLimit(t *testing.T) {
 		c.Authenticate(context.Background(), &auth.Request{
 			Service:  "test",
 			Username: "testuser",
-			Password: []byte("bad_password"),
+			Password: "bad_password",
 		})
 	}
 	resp, _ := c.Authenticate(context.Background(), &auth.Request{
 		Service:  "test",
 		Username: "testuser",
-		Password: []byte("password"),
+		Password: "password",
 	})
 	if resp.Status != auth.StatusOK {
 		t.Fatal("user was incorrectly blacklisted")
@@ -395,7 +395,7 @@ func TestAuthServer_WithStaticGroups(t *testing.T) {
 	resp, _ := c.Authenticate(context.Background(), &auth.Request{
 		Service:  "test",
 		Username: "testuser",
-		Password: []byte("password"),
+		Password: "password",
 	})
 	if resp.Status != auth.StatusOK {
 		t.Fatal("auth failed unexpectedly")
diff --git a/server/sql_test.go b/server/sql_test.go
index 2eb07023d97f3d08ab4fe7abf68f9705221135c3..952adcc6b1d9360093929a576afb8145bc2333de 100644
--- a/server/sql_test.go
+++ b/server/sql_test.go
@@ -117,7 +117,7 @@ INSERT INTO users (email, password) VALUES (
 	resp, err := client.Authenticate(context.Background(), &auth.Request{
 		Service:  "test",
 		Username: "test@example.com",
-		Password: []byte("password"),
+		Password: "password",
 	})
 	if err != nil {
 		t.Fatalf("Authenticate: %v", err)
diff --git a/server/unixserver_test.go b/server/unixserver_test.go
index b64cf9712df257cd1a3027e88cf7d40a704af7a7..6cf1e04a2911c241438f09024f676bcdf943ddbf 100644
--- a/server/unixserver_test.go
+++ b/server/unixserver_test.go
@@ -146,7 +146,7 @@ func trySuccessfulLogin(socketPath string) error {
 	resp, err := c.Authenticate(ctx, &auth.Request{
 		Service:  "test",
 		Username: "testuser",
-		Password: []byte("password"),
+		Password: "password",
 	})
 	if err != nil {
 		return err