diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
index 16cf3809856..1842c0abf8a 100644
--- a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
+++ b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
@@ -294,11 +294,17 @@ public void addModifications(ItemDelta<?,?>... itemDeltas) {
 	 *   from the above definition.
 	 */
 	public <IV extends PrismValue,ID extends ItemDefinition> ItemDelta<IV,ID> findItemDelta(ItemPath itemPath) {
-    	return findItemDelta(itemPath, ItemDelta.class, Item.class);
+		//noinspection unchecked
+		return findItemDelta(itemPath, ItemDelta.class, Item.class, false);
     }
 
-    private <IV extends PrismValue,ID extends ItemDefinition, I extends Item<IV,ID>,DD extends ItemDelta<IV,ID>>
-    		DD findItemDelta(ItemPath propertyPath, Class<DD> deltaType, Class<I> itemType) {
+	public <IV extends PrismValue,ID extends ItemDefinition> ItemDelta<IV,ID> findItemDelta(ItemPath itemPath, boolean strict) {
+		//noinspection unchecked
+		return findItemDelta(itemPath, ItemDelta.class, Item.class, strict);
+    }
+
+    public <IV extends PrismValue,ID extends ItemDefinition, I extends Item<IV,ID>,DD extends ItemDelta<IV,ID>>
+    		DD findItemDelta(ItemPath propertyPath, Class<DD> deltaType, Class<I> itemType, boolean strict) {
         if (changeType == ChangeType.ADD) {
             I item = objectToAdd.findItem(propertyPath, itemType);
             if (item == null) {
@@ -308,7 +314,7 @@ DD findItemDelta(ItemPath propertyPath, Class<DD> deltaType, Class<I> itemType)
             itemDelta.addValuesToAdd(item.getClonedValues());
             return itemDelta;
         } else if (changeType == ChangeType.MODIFY) {
-            return findModification(propertyPath, deltaType, false);
+            return findModification(propertyPath, deltaType, strict);
         } else {
             return null;
         }
@@ -425,12 +431,12 @@ public <X> PropertyDelta<X> findPropertyDelta(ItemPath parentPath, QName propert
 
     @SuppressWarnings("unchecked")
 	public <X> PropertyDelta<X> findPropertyDelta(ItemPath propertyPath) {
-    	return findItemDelta(propertyPath, PropertyDelta.class, PrismProperty.class);
+    	return findItemDelta(propertyPath, PropertyDelta.class, PrismProperty.class, false);
     }
 
     @SuppressWarnings("unchecked")
 	public <X extends Containerable> ContainerDelta<X> findContainerDelta(ItemPath propertyPath) {
-    	return findItemDelta(propertyPath, ContainerDelta.class, PrismContainer.class);
+    	return findItemDelta(propertyPath, ContainerDelta.class, PrismContainer.class, false);
     }
 
     public <X extends Containerable> ContainerDelta<X> findContainerDelta(QName name) {
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java
index 05448dee7f8..98a8702fe2e 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java
@@ -20,6 +20,9 @@
 import javax.xml.datatype.XMLGregorianCalendar;
 
 import com.evolveum.midpoint.common.LocalizationService;
+import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.delta.ContainerDelta;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -29,9 +32,6 @@
 import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
 import com.evolveum.midpoint.model.impl.lens.OperationalDataManager;
 import com.evolveum.midpoint.model.impl.lens.projector.ContextLoader;
-import com.evolveum.midpoint.prism.PrismContext;
-import com.evolveum.midpoint.prism.PrismProperty;
-import com.evolveum.midpoint.prism.PrismPropertyValue;
 import com.evolveum.midpoint.prism.crypto.EncryptionException;
 import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
@@ -50,15 +50,6 @@
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageMethodType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsStorageTypeType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
 /**
@@ -174,13 +165,14 @@ public <O extends ObjectType> ObjectDelta<O> transformFocusExecutionDelta(LensCo
 			return focusDelta;
 		}
 		ObjectDelta<O> transformedDelta = focusDelta.clone();
-		transformFocusExecutionDeltaCredential(context, credsType, credsType.getPassword(), SchemaConstants.PATH_PASSWORD_VALUE, transformedDelta, "password");
+		transformFocusExecutionDeltaForPasswords(context, credsType, credsType.getPassword(), SchemaConstants.PATH_PASSWORD_VALUE, transformedDelta, "password");
 		// TODO: nonce and others
 
 		return transformedDelta;
 	}
 
-	private <O extends ObjectType> void transformFocusExecutionDeltaCredential(LensContext<O> context,
+	// TODO generalize for nonce and others
+	private <O extends ObjectType> void transformFocusExecutionDeltaForPasswords(LensContext<O> context,
 			CredentialsPolicyType credsType, CredentialPolicyType credPolicyType,
 			ItemPath valuePropertyPath, ObjectDelta<O> delta, String credentialName) throws SchemaException, EncryptionException {
 		if (delta.isDelete()) {
@@ -205,11 +197,33 @@ private <O extends ObjectType> void transformFocusExecutionDeltaCredential(LensC
 					hashValues(prop.getValues(), storageMethod);
 				}
 			} else {
-				PropertyDelta<ProtectedStringType> propDelta = delta.findPropertyDelta(valuePropertyPath);
-				if (propDelta != null) {
-					hashValues(propDelta.getValuesToAdd(), storageMethod);
-					hashValues(propDelta.getValuesToReplace(), storageMethod);
-					hashValues(propDelta.getValuesToDelete(), storageMethod);
+				//noinspection unchecked
+				PropertyDelta<ProtectedStringType> valueDelta = delta.findItemDelta(valuePropertyPath, PropertyDelta.class, PrismProperty.class, true);
+				if (valueDelta != null) {
+					hashValues(valueDelta.getValuesToAdd(), storageMethod);
+					hashValues(valueDelta.getValuesToReplace(), storageMethod);
+					hashValues(valueDelta.getValuesToDelete(), storageMethod);  // TODO sure?
+					return;
+				}
+				ItemPath abstractCredentialPath = valuePropertyPath.allExceptLast();
+				//noinspection unchecked
+				ContainerDelta<PasswordType> abstractCredentialDelta = delta.findItemDelta(abstractCredentialPath,
+						ContainerDelta.class, PrismContainer.class, true);
+				if (abstractCredentialDelta != null) {
+					hashPasswordPcvs(abstractCredentialDelta.getValuesToAdd(), storageMethod);
+					hashPasswordPcvs(abstractCredentialDelta.getValuesToReplace(), storageMethod);
+					// TODO what about delete? probably nothing
+					return;
+				}
+				ItemPath credentialsPath = abstractCredentialPath.allExceptLast();
+				//noinspection unchecked
+				ContainerDelta<CredentialsType> credentialsDelta = delta.findItemDelta(credentialsPath, ContainerDelta.class,
+						PrismContainer.class, true);
+				if (credentialsDelta != null) {
+					hashCredentialsPcvs(credentialsDelta.getValuesToAdd(), storageMethod);
+					hashCredentialsPcvs(credentialsDelta.getValuesToReplace(), storageMethod);
+					// TODO what about delete? probably nothing
+					return;
 				}
 			}
 		} else if (storageType == CredentialsStorageTypeType.NONE) {
@@ -223,6 +237,7 @@ private <O extends ObjectType> void transformFocusExecutionDeltaCredential(LensC
 					propDelta.setValueToReplace();
 				}
 			}
+			// TODO remove password also when the whole credentials or credentials/password container is added/replaced
 		} else {
 			throw new SchemaException("Unknown storage type "+storageType);
 		}
@@ -241,6 +256,37 @@ private void hashValues(Collection<PrismPropertyValue<ProtectedStringType>> valu
 		}
 	}
 
+	private void hashPasswordPcvs(Collection<PrismContainerValue<PasswordType>> values,
+			CredentialsStorageMethodType storageMethod) throws SchemaException, EncryptionException {
+		if (values == null) {
+			return;
+		}
+		for (PrismContainerValue<PasswordType> pval: values) {
+			PasswordType password = pval.getValue();
+			if (password != null && password.getValue() != null) {
+				if (!password.getValue().isHashed()) {
+					protector.hash(password.getValue());
+				}
+			}
+		}
+	}
+
+	private void hashCredentialsPcvs(Collection<PrismContainerValue<CredentialsType>> values,
+			CredentialsStorageMethodType storageMethod) throws SchemaException, EncryptionException {
+		if (values == null) {
+			return;
+		}
+		for (PrismContainerValue<CredentialsType> pval: values) {
+			CredentialsType credentials = pval.getValue();
+			if (credentials != null && credentials.getPassword() != null) {
+				ProtectedStringType passwordValue = credentials.getPassword().getValue();
+				if (passwordValue != null && !passwordValue.isHashed()) {
+					protector.hash(passwordValue);
+				}
+			}
+		}
+	}
+
 	/**
 	 * Legacy. Invoked from mappings. TODO: fix
 	 */
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
index 3a0aa3ec2fc..cb6c5ddf715 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
@@ -3253,7 +3253,7 @@ public void test910AddUserWithNoPasswordFail() throws Exception {
 	/**
 	 *  MID-4593
 	 */
-	@Test(enabled = false)
+	@Test
 	public void test920AddCredentials() throws Exception {
 		final String TEST_NAME = "test920AddCredentials";
 		displayTestTitle(TEST_NAME);
@@ -3294,7 +3294,7 @@ public void test920AddCredentials() throws Exception {
 	/**
 	 *  MID-4593
 	 */
-	@Test(enabled = false)
+	@Test
 	public void test922ReplaceCredentials() throws Exception {
 		final String TEST_NAME = "test922ReplaceCredentials";
 		displayTestTitle(TEST_NAME);
@@ -3335,7 +3335,7 @@ public void test922ReplaceCredentials() throws Exception {
 	/**
 	 *  MID-4593
 	 */
-	@Test(enabled = false)
+	@Test
 	public void test924AddPassword() throws Exception {
 		final String TEST_NAME = "test924AddPassword";
 		displayTestTitle(TEST_NAME);
@@ -3373,7 +3373,7 @@ public void test924AddPassword() throws Exception {
 	/**
 	 *  MID-4593
 	 */
-	@Test(enabled = false)
+	@Test
 	public void test926ReplacePassword() throws Exception {
 		final String TEST_NAME = "test926ReplacePassword";
 		displayTestTitle(TEST_NAME);
@@ -3411,7 +3411,7 @@ public void test926ReplacePassword() throws Exception {
 	/**
 	 *  MID-4593
 	 */
-	@Test(enabled = false)
+	@Test
 	public void test928AddPasswordValue() throws Exception {
 		final String TEST_NAME = "test928AddPasswordValue";
 		displayTestTitle(TEST_NAME);
@@ -3448,7 +3448,7 @@ public void test928AddPasswordValue() throws Exception {
 	/**
 	 *  MID-4593
 	 */
-	@Test(enabled = false)
+	@Test
 	public void test929ReplacePasswordValue() throws Exception {
 		final String TEST_NAME = "test929ReplacePasswordValue";
 		displayTestTitle(TEST_NAME);