diff --git a/rbac/engine/classes/model/RbacUsers.php b/rbac/engine/classes/model/RbacUsers.php
index 760a9c9b2..f3d0c13fe 100644
--- a/rbac/engine/classes/model/RbacUsers.php
+++ b/rbac/engine/classes/model/RbacUsers.php
@@ -75,12 +75,13 @@ class RbacUsers extends BaseRbacUsers
         try {
             $c = new Criteria('rbac');
             $c->add(RbacUsersPeer::USR_USERNAME, $sUsername);
+            /* @var $rs RbacUsers[] */
             $rs = RbacUsersPeer::doSelect($c, Propel::getDbConnection('rbac_ro'));
             if (is_array($rs) && isset($rs[0]) && is_object($rs[0]) && get_class($rs[0]) == 'RbacUsers') {
                 $aFields = $rs[0]->toArray(BasePeer::TYPE_FIELDNAME);
                 //verify password with md5, and md5 format
                 if (mb_strtoupper($sUsername, 'utf-8') === mb_strtoupper($aFields['USR_USERNAME'], 'utf-8')) {
-                    if( Bootstrap::verifyHashPassword($sPassword, $aFields['USR_PASSWORD']) ) {
+                    if( Bootstrap::verifyHashPassword($sPassword, $rs[0]->getUsrPassword()) ) {
                         if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) {
                             return -4;
                         }
@@ -317,6 +318,25 @@ class RbacUsers extends BaseRbacUsers
           throw($oError);
         }
     }
+
+    /**
+     * {@inheritdoc} except USR_PASSWORD, for security reasons.
+     *
+     * @param string $keyType One of the class type constants TYPE_PHPNAME,
+     *                        TYPE_COLNAME, TYPE_FIELDNAME, TYPE_NUM
+     * @return an associative array containing the field names (as keys) and field values
+     */
+    public function toArray($keyType = BasePeer::TYPE_PHPNAME)
+    {
+        $key = RbacUsersPeer::translateFieldName(
+            RbacUsersPeer::USR_PASSWORD,
+            BasePeer::TYPE_COLNAME,
+            $keyType
+        );
+        $array = parent::toArray($keyType);
+        unset($array[$key]);
+        return $array;
+    }
 }
 
 // Users
diff --git a/workflow/engine/classes/model/Users.php b/workflow/engine/classes/model/Users.php
index b2b6e261c..eb92a080f 100644
--- a/workflow/engine/classes/model/Users.php
+++ b/workflow/engine/classes/model/Users.php
@@ -490,4 +490,23 @@ class Users extends BaseUsers
         $criteria->add(UsersPeer::USR_ID, $id);
         return UsersPeer::doSelect($criteria)[0];
     }
+    
+    /**
+     * {@inheritdoc} except USR_PASSWORD, for security reasons.
+     *
+     * @param string $keyType One of the class type constants TYPE_PHPNAME,
+     *                        TYPE_COLNAME, TYPE_FIELDNAME, TYPE_NUM
+     * @return an associative array containing the field names (as keys) and field values
+     */
+    public function toArray($keyType = BasePeer::TYPE_PHPNAME)
+    {
+        $key = UsersPeer::translateFieldName(
+            UsersPeer::USR_PASSWORD,
+            BasePeer::TYPE_COLNAME,
+            $keyType
+        );
+        $array = parent::toArray($keyType);
+        unset($array[$key]);
+        return $array;
+    }
 }
diff --git a/workflow/engine/methods/users/usersAjax.php b/workflow/engine/methods/users/usersAjax.php
index 4172aea74..9c97c46ca 100644
--- a/workflow/engine/methods/users/usersAjax.php
+++ b/workflow/engine/methods/users/usersAjax.php
@@ -318,7 +318,7 @@ switch ($_POST['action']) {
 
         require_once 'classes/model/UsersProperties.php';
         $oUserProperty = new UsersProperties();
-        $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($aFields['USR_PASSWORD']))));
+        $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($aFields['USR_UID'], array('USR_PASSWORD_HISTORY' => serialize(array($oUser->getUsrPassword()))));
         $aFields['USR_LOGGED_NEXT_TIME'] = $aUserProperty['USR_LOGGED_NEXT_TIME'];
 
         if (array_key_exists('USR_PASSWORD', $aFields)) {
diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/User.php b/workflow/engine/src/ProcessMaker/BusinessModel/User.php
index 8808c21f9..fc321d74b 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/User.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/User.php
@@ -785,7 +785,7 @@ class User
                     $oUser = new Users();
                     $aUser = $oUser->load($userUid);
                     $oUserProperty = new UsersProperties();
-                    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($aUser["USR_PASSWORD"]))));
+                    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($oUser->getUsrPassword()))));
                     $aUserProperty["USR_LOGGED_NEXT_TIME"] = $arrayData["USR_LOGGED_NEXT_TIME"];
                     $oUserProperty->update($aUserProperty);
                 }
diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php b/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
index 2f9a1c405..f72fc9f90 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
@@ -382,7 +382,7 @@ class WebEntry
                     $arrayUserData = $user->load($arrayWebEntryData["USR_UID"]);
 
                     $usrUsername = $arrayUserData["USR_USERNAME"];
-                    $usrPassword = $arrayUserData["USR_PASSWORD"];
+                    $usrPassword = $user->getUsrPassword();
 
                     $dynaForm = new \Dynaform();