When invoking setPassword()
you're actually going to set a password hash, not a password itself. And also this one does more than one thing - it knows how to assign a password hash and also knows how to encrypt it.
So, with a current setPassword()
method you have two problems:
1) setPassword()
name's implies that you're going to set a password, not its hash. Therefore it breaks the POLS
2) Since the method also knows how to encrypt a password, the encryption algorithm becomes tightly coupled to it.
So, I'd recommend going this way
// Only once!
$passwordHash = md5($_POST['password'])
$userCredentials->setUsername($_POST['username']);
$userCredentials->setPasswordHash($passwordHash);
....
$user->setPasswordHash($passwordHash);
This makes you hashing algorithm completely decoupled from authentication, thus when changing it, it wouldn't hurt so much.
In general I'd say - your design is OK.