diff --git a/includes/form.inc b/includes/form.inc
index 7f8cbc64b41e1fd97a892f375e8595bdb2755ed6..d19c82ada665dac27a68338debbf1250fe87fc88 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -3724,7 +3724,7 @@ function theme_textarea($variables) {
 function theme_password($variables) {
   $element = $variables['element'];
   $element['#attributes']['type'] = 'password';
-  element_set_attributes($element, array('id', 'name', 'value', 'size', 'maxlength'));
+  element_set_attributes($element, array('id', 'name', 'size', 'maxlength'));
   _form_set_class($element, array('form-text'));
 
   return '<input' . drupal_attributes($element['#attributes']) . ' />';
diff --git a/modules/user/user.test b/modules/user/user.test
index d999c85e2c98eeaa59787389af4d6cf6315f3381..31e19e267f4d8f5523c95ebfeb11ff283a1aa22f 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -406,6 +406,7 @@ class UserLoginTestCase extends DrupalWebTestCase {
       'pass' => $account->pass_raw,
     );
     $this->drupalPost('user', $edit, t('Log in'));
+    $this->assertNoFieldByXPath("//input[@name='pass' and @value!='']", NULL, t('Password value attribute is blank.'));
     if (isset($flood_trigger)) {
       if ($flood_trigger == 'user') {
         $this->assertRaw(format_plural(variable_get('user_failed_login_user_limit', 5), 'Sorry, there has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', 'Sorry, there have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));