diff --git a/core/modules/hal/src/Normalizer/ContentEntityNormalizer.php b/core/modules/hal/src/Normalizer/ContentEntityNormalizer.php
index be6c9a0..e414892 100644
--- a/core/modules/hal/src/Normalizer/ContentEntityNormalizer.php
+++ b/core/modules/hal/src/Normalizer/ContentEntityNormalizer.php
@@ -90,7 +90,13 @@ public function normalize($entity, $format = NULL, array $context = array()) {
     // Ignore the entity ID and revision ID.
     $exclude = array($entity->getEntityType()->getKey('id'), $entity->getEntityType()->getKey('revision'));
     foreach ($fields as $field) {
-      if (in_array($field->getFieldDefinition()->getName(), $exclude)) {
+      $field_name = $field->getFieldDefinition()->getName();
+      if (in_array($field_name, $exclude)) {
+        continue;
+      }
+      $field = $entity->get($field_name);
+      if (method_exists($field, 'getFieldDefinition') && ($definition = $field->getFieldDefinition()) && $definition->getType() == 'password') {
+        // Never normalize password items.
         continue;
       }
       $normalized_property = $this->serializer->normalize($field, $format, $context);
@@ -183,10 +189,6 @@ public function denormalize($data, $class, $format = NULL, array $context = arra
       // Get the class of the field. This will generally be the default Field
       // class.
       $field_class = get_class($field);
-      if ($field_class == '\Drupal\Core\Field\Plugin\Field\FieldType\PasswordItem') {
-        // Never normalize password items.
-        continue;
-      }
       // Pass in the empty field object as a target instance. Since the context
       // is already prepared for the field, any data added to it is
       // automatically added to the entity.
diff --git a/core/modules/hal/src/Tests/EntityTest.php b/core/modules/hal/src/Tests/EntityTest.php
index a115146..2ba9afa 100644
--- a/core/modules/hal/src/Tests/EntityTest.php
+++ b/core/modules/hal/src/Tests/EntityTest.php
@@ -6,6 +6,7 @@
  */
 
 namespace Drupal\hal\Tests;
+use Drupal\user\Entity\User;
 
 /**
  * Tests that nodes and terms are correctly normalized and denormalized.
@@ -19,7 +20,7 @@ class EntityTest extends NormalizerTestBase {
    *
    * @var array
    */
-  public static $modules = array('node', 'taxonomy', 'comment');
+  public static $modules = array('node', 'taxonomy', 'comment', 'user');
 
   /**
    * {@inheritdoc}
@@ -31,6 +32,7 @@ protected function setUp() {
     $this->installSchema('system', array('sequences'));
     $this->installSchema('comment', array('comment_entity_statistics'));
     $this->installEntitySchema('comment');
+    $this->installEntitySchema('user');
     $this->installEntitySchema('taxonomy_term');
   }
 
@@ -208,4 +210,35 @@ public function testComment() {
     }
   }
 
+  /**
+   * Tests the normalization of users.
+   */
+  public function testUser() {
+    // Test password isn't available.
+    $account = User::create([
+      'name' => 'foo',
+      'mail' => 'foo@example.com',
+      'pass' => '123456',
+    ]);
+    $account->save();
+    $original_values = $account->toArray();
+    unset($original_values['uid'], $original_values['pass']);
+
+    $normalized = $this->serializer->normalize($account, $this->format);
+
+    $denormalized_account = $this->serializer->denormalize($normalized, 'Drupal\user\Entity\User', $this->format);
+
+    // Verify that the ID and password were skipped by the normalizer.
+    $this->assertEqual(NULL, $denormalized_account->id());
+    $this->assertEqual(NULL, $denormalized_account->getPassword());
+
+    // Loop over the remaining fields and verify that they are identical.
+    foreach ($original_values as $field_name => $field_values) {
+      if (empty($field_values) || (empty($field_values[0]))) {
+        continue;
+      }
+      $this->assertEqual($field_values, $denormalized_account->get($field_name)->getValue());
+    }
+  }
+
 }
diff --git a/core/modules/serialization/src/Normalizer/ComplexDataNormalizer.php b/core/modules/serialization/src/Normalizer/ComplexDataNormalizer.php
index 9d99d5d..154412b 100644
--- a/core/modules/serialization/src/Normalizer/ComplexDataNormalizer.php
+++ b/core/modules/serialization/src/Normalizer/ComplexDataNormalizer.php
@@ -34,6 +34,10 @@ class ComplexDataNormalizer extends NormalizerBase {
   public function normalize($object, $format = NULL, array $context = array()) {
     $attributes = array();
     foreach ($object as $name => $field) {
+      if (method_exists($field, 'getFieldDefinition') && ($definition = $field->getFieldDefinition()) && $definition->getType() == 'password') {
+        // Never normalize password items.
+        continue;
+      }
       $attributes[$name] = $this->serializer->normalize($field, $format);
     }
     return $attributes;