diff --git a/api/http/handler/users/user_update.go b/api/http/handler/users/user_update.go
index 5eae759aa..868610fad 100644
--- a/api/http/handler/users/user_update.go
+++ b/api/http/handler/users/user_update.go
@@ -125,5 +125,8 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 	// remove all of the users persisted API keys
 	handler.apiKeyService.InvalidateUserKeyCache(user.ID)
 
+	// hide the password field in the response payload
+	user.Password = ""
+
 	return response.JSON(w, user)
 }