diff --git a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
index 25d3cae70d..9f519afdf6 100644
--- a/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
+++ b/core/src/main/java/org/springframework/security/provisioning/JdbcUserDetailsManager.java
@@ -221,7 +221,7 @@ public class JdbcUserDetailsManager extends JdbcDaoImpl implements UserDetailsMa
         UserDetails user = loadUserByUsername(currentAuth.getName());
 
         UsernamePasswordAuthenticationToken newAuthentication =
-                new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
+                new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
         newAuthentication.setDetails(currentAuth.getDetails());
 
         return newAuthentication;
diff --git a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
index 4f51c477a3..085390683a 100644
--- a/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
+++ b/core/src/test/java/org/springframework/security/provisioning/JdbcUserDetailsManagerTests.java
@@ -168,7 +168,7 @@ public class JdbcUserDetailsManagerTests {
         Authentication newAuth = SecurityContextHolder.getContext().getAuthentication();
         assertEquals("joe", newAuth.getName());
         assertEquals(currentAuth.getDetails(), newAuth.getDetails());
-        assertEquals("newPassword", newAuth.getCredentials());
+        assertNull(newAuth.getCredentials());
         assertFalse(cache.getUserMap().containsKey("joe"));
     }
 
@@ -302,6 +302,15 @@ public class JdbcUserDetailsManagerTests {
         assertEquals(0, template.queryForList(SELECT_JOE_AUTHORITIES_SQL).size());
     }
 
+    // SEC-2166
+    @Test
+    public void createNewAuthenticationUsesNullPasswordToKeepPassordsSave() {
+        insertJoe();
+        UsernamePasswordAuthenticationToken currentAuth = new UsernamePasswordAuthenticationToken("joe",null, AuthorityUtils.createAuthorityList("ROLE_USER"));
+        Authentication updatedAuth = manager.createNewAuthentication(currentAuth, "new");
+        assertNull(updatedAuth.getCredentials());
+    }
+
     private Authentication authenticateJoe() {
         UsernamePasswordAuthenticationToken auth =
                 new UsernamePasswordAuthenticationToken("joe","password", joe.getAuthorities());