diff --git a/src/routes/profile.js b/src/routes/profile.js
index ee38e4ddc..5d1144670 100644
--- a/src/routes/profile.js
+++ b/src/routes/profile.js
@@ -70,6 +70,8 @@ async function update(req, res, next) {
 
         const [verifyError] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN));
         if (verifyError) return next(BoxError.toHttpError(verifyError));
+
+        req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password
     }
 
     const [error] = await safe(users.update(req.user, data, auditSource.fromRequest(req)));