diff -Nur moin-1.5.5a/MoinMoin/auth.py moin-1.5.5a.new/MoinMoin/auth.py
--- moin-1.5.5a/MoinMoin/auth.py	2006-10-11 11:33:21.607503000 +0100
+++ moin-1.5.5a.new/MoinMoin/auth.py	2006-10-11 11:34:51.451724455 +0100
@@ -172,7 +172,9 @@
     # check if we are running Twisted
     if isinstance(request, RequestTwisted):
         username = request.twistd.getUser()
-        password = request.twistd.getPassword()
+        password = None
+        if request.cfg.user_save_password:
+            password = request.twistd.getPassword()
         # when using Twisted http auth, we use username and password from
         # the moin user profile, so both can be changed by user.
         u = user.User(request, auth_username=username, password=password,
diff -Nur moin-1.5.5a/MoinMoin/multiconfig.py moin-1.5.5a.new/MoinMoin/multiconfig.py
--- moin-1.5.5a/MoinMoin/multiconfig.py	2006-10-11 11:33:11.585375000 +0100
+++ moin-1.5.5a.new/MoinMoin/multiconfig.py	2006-10-11 11:35:13.121677407 +0100
@@ -369,6 +369,7 @@
     tz_offset = 0.0 # default time zone offset in hours from UTC
     user_autocreate = False # do we auto-create user profiles
     user_email_unique = True # do we check whether a user's email is unique?
+    user_save_password = True # do we save the user's password?
 
     # a regex of HTTP_USER_AGENTS that should be excluded from logging
     # and receive a FORBIDDEN for anything except viewing a page