I think what Jörg is trying to say is that you need to make sure that anywhere a database operation takes place involving a password you need to make sure to use the StringUtils.hash() method. If you do not, sometimes the passwords are going to be stored in plaintext and other times they will be hashed, so when you try to match them you will run into troubles.
I have not tried to implement the password encoding myself but after doing a quick search you will want to change the following methods:
DefaultUserProvider.createUser(); //line ~107
DefaultUserProvider.setPassword(); //line ~366
DefaultAuthProvider.authenticate() //line ~49
I might have missed a spot or two where you will need to make the changes, so be sure to look through DefaultUserProvider and DefaultAuthProvider yourself for anyplace a password is used.
Hope that helps,