diff --git a/core/modules/user/src/Entity/User.php b/core/modules/user/src/Entity/User.php
index 54a268b..aca8a71 100644
--- a/core/modules/user/src/Entity/User.php
+++ b/core/modules/user/src/Entity/User.php
@@ -126,6 +126,10 @@ public function postSave(EntityStorageInterface $storage, $update = TRUE) {
         _user_mail_notify($op, $this);
       }
     }
+
+    // Ensure that the existing password is unset to minify risks of it
+    // getting serialized and stored somewhere.
+    $this->setExistingPassword(NULL);
   }
 
   /**
diff --git a/core/modules/user/src/Tests/UserSaveTest.php b/core/modules/user/src/Tests/UserSaveTest.php
index a2eaf5d..3e77ffa 100644
--- a/core/modules/user/src/Tests/UserSaveTest.php
+++ b/core/modules/user/src/Tests/UserSaveTest.php
@@ -8,6 +8,7 @@
 namespace Drupal\user\Tests;
 
 use Drupal\simpletest\WebTestBase;
+use Drupal\user\Entity\User;
 
 /**
  * Tests account saving for arbitrary new uid.
@@ -48,4 +49,17 @@ function testUserImport() {
     $user_by_name = user_load_by_name($test_name);
     $this->assertTrue($user_by_name, 'Loading user by name.');
   }
+
+  /**
+   * Ensures that an existing password is unset after the user was saved.
+   */
+  function testExistingPasswordRemoval() {
+    $user = User::create(['name' => $this->randomMachineName()]);
+    $user->save();
+    $user->setExistingPassword('existing password');
+    $this->assertNotNull($user->pass->existing);
+    $user->save();
+    $this->assertNull($user->pass->existing);
+  }
+
 }