diff --git a/pkg/controller/user/user_controller.go b/pkg/controller/user/user_controller.go
index e89c45a05e9797954eb6a5810bd628147e89079e..96c5c6b747c3da5285871ee28c54b51a67856dc9 100644
--- a/pkg/controller/user/user_controller.go
+++ b/pkg/controller/user/user_controller.go
@@ -367,6 +367,8 @@ func (c *Controller) ensurePasswordIsEncrypted(user *iamv1alpha2.User) (*iamv1al
 		if user.Annotations == nil {
 			user.Annotations = make(map[string]string, 0)
 		}
+		// ensure plain text password won't be kept anywhere
+		delete(user.Annotations, corev1.LastAppliedConfigAnnotation)
 		user.Annotations[iamv1alpha2.PasswordEncryptedAnnotation] = "true"
 		user.Status = iamv1alpha2.UserStatus{
 			State:              iamv1alpha2.UserActive,