diff --git a/app/app.py b/app/app.py
index d71dba4..7d5b004 100644
--- a/app/app.py
+++ b/app/app.py
@@ -234,7 +234,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""
 
@@ -243,7 +244,7 @@ def _verify_password(stored: str, pw: Optional[str]) -> bool:
     if not pw or not stored:
         return False
     try:
-        algo, iter_s, salt_hex, hash_hex = stored.split("$")
+        algo, iter_s, salt_hex, hash_hex = stored.split("-")
         if algo != 'pbkdf2_sha256':
             return False
         iterations = int(iter_s)
diff --git a/app/config.py b/app/config.py
index f2c13cc..397af94 100644
--- a/app/config.py
+++ b/app/config.py
@@ -34,7 +34,8 @@ def _hash_password(pw: str) -> str:
         salt = os.urandom(16)
         iterations = 200_000
         dk = hashlib.pbkdf2_hmac('sha256', pw.encode('utf-8'), salt, iterations)
-        return f"pbkdf2_sha256${iterations}${binascii.hexlify(salt).decode()}${binascii.hexlify(dk).decode()}"
+        # use - as the delimiter to avoid Docker env variable substitution
+        return f"pbkdf2_sha256-{iterations}-{binascii.hexlify(salt).decode()}-{binascii.hexlify(dk).decode()}"
     except Exception:
         return ""