diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldType/PasswordItem.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldType/PasswordItem.php
index 7caa26fa4558391b9044fbec9eb568f4511861ae..581adf24c77bee1ef758fd5de839b30a97a6e5b2 100644
--- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldType/PasswordItem.php
+++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldType/PasswordItem.php
@@ -62,6 +62,9 @@ public function preSave() {
         $this->value = $entity->original->{$this->getFieldDefinition()->getName()}->value;
       }
     }
+    // Ensure that the existing password is unset to minimise risks of it
+    // getting serialized and stored somewhere.
+    $this->existing = NULL;
   }
 
   /**
diff --git a/core/modules/user/src/Tests/UserSaveTest.php b/core/modules/user/src/Tests/UserSaveTest.php
index 0682c97088e2fe6a92d93bf2e0295d42f4d8843b..2a4e7b1d312ed8114f88ec5133d9377167feb5d6 100644
--- a/core/modules/user/src/Tests/UserSaveTest.php
+++ b/core/modules/user/src/Tests/UserSaveTest.php
@@ -49,4 +49,18 @@ function testUserImport() {
     $user_by_name = user_load_by_name($test_name);
     $this->assertTrue($user_by_name, 'Loading user by name.');
   }
+
+  /**
+   * Ensures that an existing password is unset after the user was saved.
+   */
+  function testExistingPasswordRemoval() {
+    /** @var \Drupal\user\Entity\User $user */
+    $user = User::create(['name' => $this->randomMachineName()]);
+    $user->save();
+    $user->setExistingPassword('existing password');
+    $this->assertNotNull($user->pass->existing);
+    $user->save();
+    $this->assertNull($user->pass->existing);
+  }
+
 }