diff --git a/app/templates/server/api/user(auth)/user.controller.js b/app/templates/server/api/user(auth)/user.controller.js
index f4cd10c29..ee3d56387 100644
--- a/app/templates/server/api/user(auth)/user.controller.js
+++ b/app/templates/server/api/user(auth)/user.controller.js
@@ -86,7 +86,7 @@ exports.me = function(req, res, next) {
   var userId = req.user._id;
   User.findOne({
     _id: userId
-  }, '-salt -hashedPassword', function(err, user) { // don't ever give out the password or salt
+  }, function(err, user) { // don't ever give out the password or salt
     if (err) return next(err);
     if (!user) return res.json(401);
     res.json(user);
diff --git a/app/templates/server/api/user(auth)/user.model.js b/app/templates/server/api/user(auth)/user.model.js
index cc8d59263..ef51ba493 100644
--- a/app/templates/server/api/user(auth)/user.model.js
+++ b/app/templates/server/api/user(auth)/user.model.js
@@ -12,9 +12,9 @@ var UserSchema = new Schema({
     type: String,
     default: 'user'
   },
-  hashedPassword: String,
+  hashedPassword: {type: String, select: false},
   provider: String,
-  salt: String<% if (filters.oauth) { %>,<% if (filters.facebookAuth) { %>
+  salt: {type: String, select: false}<% if (filters.oauth) { %>,<% if (filters.facebookAuth) { %>
   facebook: {},<% } %><% if (filters.twitterAuth) { %>
   twitter: {},<% } %><% if (filters.googleAuth) { %>
   google: {},<% } %>
diff --git a/app/templates/server/api/user(auth)/user.model.spec.js b/app/templates/server/api/user(auth)/user.model.spec.js
index 257c95b7c..f8bd4caa0 100644
--- a/app/templates/server/api/user(auth)/user.model.spec.js
+++ b/app/templates/server/api/user(auth)/user.model.spec.js
@@ -50,6 +50,26 @@ describe('User Model', function() {
     });
   });
 
+  it('should not have salt by default', function(done) {
+    user.save(function() {
+    });
+
+    User.find({name: user.name}, function(err, _user) {
+      _user.should.not.have.property('salt');
+      done();
+    });
+  });
+
+  it('should not have hashedPassword by default', function(done) {
+    user.save(function() {
+    });
+
+    User.find({name: user.name}, function(err, _user) {
+      _user.should.not.have.property('hashedPassword');
+      done();
+    });
+  });
+
   it("should authenticate user if password is valid", function() {
     return user.authenticate('password').should.be.true;
   });
diff --git a/app/templates/server/auth(auth)/local/passport.js b/app/templates/server/auth(auth)/local/passport.js
index ac82b42a2..8b06ed462 100644
--- a/app/templates/server/auth(auth)/local/passport.js
+++ b/app/templates/server/auth(auth)/local/passport.js
@@ -9,7 +9,7 @@ exports.setup = function (User, config) {
     function(email, password, done) {
       User.findOne({
         email: email.toLowerCase()
-      }, function(err, user) {
+      }, '+salt +hashedPassword', function(err, user) {
         if (err) return done(err);
 
         if (!user) {