diff --git a/src/main/resources/ftl/index.ftl b/src/main/resources/ftl/index.ftl
index dddaf7a..e08c17c 100644
--- a/src/main/resources/ftl/index.ftl
+++ b/src/main/resources/ftl/index.ftl
@@ -98,20 +98,18 @@
             <p>and now login with Google or Facebook accounts.</p>
         </div>
         <div class="span9">
-            <p>You can sign in from the link at the top right.  There are two built-in accounts you
-               can user, <code>zenith@acme.com</code> and <code>nadir@acme.com</code>.
-                Both have password <code>pass</code>.  The <code>zenith</code> account is an admin, and
-                can do more than <code>nadir</code> which is a normal user account.  The dummy accounts,
-                of the form <code>userN@acme.com</code>all have the password <code>acme</code></p>
+            <p>You can sign in from the link at the top right.  There is a built-in account you
+               can user, <code>zenith@acme.com</code>.
+                It has password <code>pass</code>.  The <code>zenith</code> account is a normal user account.</p>
             <p>You can also register for an account.  You need to provide an Email which you control for this
                as a registration code will be sent to this Email address.  Once you're registered you can use this
                account, unless someone suspends it.</p>
             <p>If you forget your password you can reset it.  An email is sent to you with a code and a link. Either
                enter the code or follow the link to do the reset.</p>
-            <p>When logged in as <code>zenith</code> you can list users and choose whether to suspend them or not.
-               A suspended user cannot login.</p>
             <p>For convenience we allow users to log in with Google or Facebook accounts.  In each case we grab
-               the Email address, but no registration is required.</p>
+               the Email address, but no registration is required.  Its straightforward to add other OAuth 2 providers,
+               in addition to Facebook.  Note that the token is invalidated as soon as we've read the Email address.
+               This increases security, but its an odd use of OAuth.</p>
             <p>In practice all the URLs must run under <code>HTTPS</code>, since passwords are contained in the
                HTTP requests, and since we use Ajax calls where going from <code>HTTP</code> to <code>HTTPS</code>,
                which is cross-domain, is not allowed. This demo uses <code>HTTPS</code> throughout.
diff --git a/src/main/resources/shiro.ini b/src/main/resources/shiro.ini
index 6a81fb3..2155502 100644
--- a/src/main/resources/shiro.ini
+++ b/src/main/resources/shiro.ini
@@ -10,11 +10,14 @@ gaeRealm = com.cilogi.shiro.gae.DatastoreRealm
 oauthRealm = com.cilogi.shiro.oauth.OAuthRealm
 googleRealm = com.cilogi.shiro.googlegae.GoogleGAERealm
 
+passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
+iniRealm.credentialsMatcher = $passwordMatcher
+
 securityManager.realms = $iniRealm, $gaeRealm, $oauthRealm, $googleRealm
 
 [users]
-zenith@acme.com = pass, user
-tim@timniblett.net = *, user, admin
+zenith@acme.com = $shiro1$SHA-256$500000$p5Dtx0ux0g0Xq/xvFjI8tQ==$BNlTuK2QaoxPpOEKzbPsbJezQ8k4+RI7mYS6t5eh0TA=, user
+tim@timniblett.net = $shiro1$SHA-256$500000$akZJ/TrSnudioSjCtYfYbA==$Sw9g6WCiZLraTKhQhGKfIpTxpm0z+HY+7jqqj9ggg3I=, user, admin
 
 [roles]
 admin = *
diff --git a/src/main/web/index.html b/src/main/web/index.html
index feeeba7..5e93c4a 100644
--- a/src/main/web/index.html
+++ b/src/main/web/index.html
@@ -147,20 +147,18 @@ <h2>You can</h2>
             <p>and now login with Google or Facebook accounts.</p>
         </div>
         <div class="span9">
-            <p>You can sign in from the link at the top right.  There are two built-in accounts you
-               can user, <code>zenith@acme.com</code> and <code>nadir@acme.com</code>.
-                Both have password <code>pass</code>.  The <code>zenith</code> account is an admin, and
-                can do more than <code>nadir</code> which is a normal user account.  The dummy accounts,
-                of the form <code>userN@acme.com</code>all have the password <code>acme</code></p>
+            <p>You can sign in from the link at the top right.  There is a built-in account you
+               can user, <code>zenith@acme.com</code>.
+                It has password <code>pass</code>.  The <code>zenith</code> account is a normal user account.</p>
             <p>You can also register for an account.  You need to provide an Email which you control for this
                as a registration code will be sent to this Email address.  Once you're registered you can use this
                account, unless someone suspends it.</p>
             <p>If you forget your password you can reset it.  An email is sent to you with a code and a link. Either
                enter the code or follow the link to do the reset.</p>
-            <p>When logged in as <code>zenith</code> you can list users and choose whether to suspend them or not.
-               A suspended user cannot login.</p>
             <p>For convenience we allow users to log in with Google or Facebook accounts.  In each case we grab
-               the Email address, but no registration is required.</p>
+               the Email address, but no registration is required.  Its straightforward to add other OAuth 2 providers,
+               in addition to Facebook.  Note that the token is invalidated as soon as we've read the Email address.
+               This increases security, but its an odd use of OAuth.</p>
             <p>In practice all the URLs must run under <code>HTTPS</code>, since passwords are contained in the
                HTTP requests, and since we use Ajax calls where going from <code>HTTP</code> to <code>HTTPS</code>,
                which is cross-domain, is not allowed. This demo uses <code>HTTPS</code> throughout.