Problem/Motivation
Follow-up to #2418119: REST user updates bypass tightened user account change validation, it adds an existing column to the password field that always has a password in plain text, when we save a user the password value column is hashed but this column would be left alone, this column is not saved to the db, but it is present in the user object (it does need to be).
If you do:
$user = \Drupal\user\Entity\User::load(1);
$user->setExistingPassword('blah');
print serialize($user);You see the existing password.
Proposed resolution
If an existing password or password is set in clear text on the user object we should mark the object as unsafe for serialization and error if the object is serialized.