This page will list details on dealing with passwords with PicketLink v2.5.0 onwards.
org.picketlink.idm.credential.Password represents a text based password.
org.picketlink.idm.password.PasswordEncoder is the interface dealing with password encoding
BCrypt
PBKDF2
SHA
TBD
Look at the quickstarts to get an idea of injecting passwords into your applications.
Idea is to @Inject Password into your application. You can have a CDI producer method in the application that knows how to construct a Password instance. On Wildfly/JBoss EAP, this method can interact with the Vault.