When the Console class was introduced in jdk6 many years ago, we rewrote Password.readPassword() to use Console so password do not echo on the screen. It was good but the two methods behave differently when non-ASCII chars are entered. Console.readPassword() uses a Reader so it converts the input bytes into chars in a Charset, while the old Password.readPassword() simply converts one byte into one char. For compatibility reason we added a hack to encode the char[] returned by Password.readPassword() into byte[] and convert it to char[] like the old Password class did. Of course, it wasn't a pleasant experience, for example, a keystore created with "keytool -storepass üäö" cannot be opened by "keytool -list" if you type the same password into the screen prompt. But we accepted it because that has never been successful, and at least old keystore created with password prompt can now be opened with the same password at prompt.

We might need to reconsider this decision. This compatibility mode is definitely not correct, it is only as incorrect as the old one. Pure Password.readPassword() should be better.

We can use the "pure" encoding scheme and have a fallback and try both approaches when reading old keystores. We can also backport a change to jdk8u that can check for both schemes. A system property can be added that can use the old scheme when creating a keystore, if necessary.