diff --git a/database/db.go b/database/db.go
index 744f1401..251ca3e7 100644
--- a/database/db.go
+++ b/database/db.go
@@ -10,6 +10,7 @@ import (
 
 	"x-ui/config"
 	"x-ui/database/model"
+	"x-ui/util/crypto"
 	"x-ui/xray"
 
 	"gorm.io/driver/sqlite"
@@ -52,7 +53,7 @@ func initUser() error {
 	if empty {
 		user := &model.User{
 			Username:    defaultUsername,
-			Password:    defaultPassword,
+			Password:    crypto.HashSHA256(defaultPassword),
 			LoginSecret: defaultSecret,
 		}
 		return db.Create(user).Error
diff --git a/util/crypto/crypto.go b/util/crypto/crypto.go
new file mode 100644
index 00000000..039e16f7
--- /dev/null
+++ b/util/crypto/crypto.go
@@ -0,0 +1,12 @@
+package crypto
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+)
+
+func HashSHA256(text string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(text))
+	return hex.EncodeToString(hasher.Sum(nil))
+}
diff --git a/web/controller/setting.go b/web/controller/setting.go
index d04969dc..c296c875 100644
--- a/web/controller/setting.go
+++ b/web/controller/setting.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"time"
 
+	"x-ui/util/crypto"
 	"x-ui/web/entity"
 	"x-ui/web/service"
 	"x-ui/web/session"
@@ -84,7 +85,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 		return
 	}
 	user := session.GetLoginUser(c)
-	if user.Username != form.OldUsername || user.Password != form.OldPassword {
+	if user.Username != form.OldUsername || user.Password != crypto.HashSHA256(form.OldPassword) {
 		jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), errors.New(I18nWeb(c, "pages.settings.toasts.originalUserPassIncorrect")))
 		return
 	}
@@ -95,7 +96,7 @@ func (a *SettingController) updateUser(c *gin.Context) {
 	err = a.userService.UpdateUser(user.Id, form.NewUsername, form.NewPassword)
 	if err == nil {
 		user.Username = form.NewUsername
-		user.Password = form.NewPassword
+		user.Password = crypto.HashSHA256(form.NewPassword)
 		session.SetLoginUser(c, user)
 	}
 	jsonMsg(c, I18nWeb(c, "pages.settings.toasts.modifyUser"), err)
diff --git a/web/service/user.go b/web/service/user.go
index 7438cf1a..a55ceca0 100644
--- a/web/service/user.go
+++ b/web/service/user.go
@@ -6,6 +6,7 @@ import (
 	"x-ui/database"
 	"x-ui/database/model"
 	"x-ui/logger"
+	"x-ui/util/crypto"
 
 	"gorm.io/gorm"
 )
@@ -30,7 +31,7 @@ func (s *UserService) CheckUser(username string, password string, secret string)
 
 	user := &model.User{}
 	err := db.Model(model.User{}).
-		Where("username = ? and password = ? and login_secret = ?", username, password, secret).
+		Where("username = ? and password = ? and login_secret = ?", username, crypto.HashSHA256(password), secret).
 		First(user).
 		Error
 	if err == gorm.ErrRecordNotFound {
@@ -46,7 +47,7 @@ func (s *UserService) UpdateUser(id int, username string, password string) error
 	db := database.GetDB()
 	return db.Model(model.User{}).
 		Where("id = ?", id).
-		Updates(map[string]any{"username": username, "password": password}).
+		Updates(map[string]any{"username": username, "password": crypto.HashSHA256(password)}).
 		Error
 }
 
@@ -105,12 +106,12 @@ func (s *UserService) UpdateFirstUser(username string, password string) error {
 	err := db.Model(model.User{}).First(user).Error
 	if database.IsNotFound(err) {
 		user.Username = username
-		user.Password = password
+		user.Password = crypto.HashSHA256(password)
 		return db.Model(model.User{}).Create(user).Error
 	} else if err != nil {
 		return err
 	}
 	user.Username = username
-	user.Password = password
+	user.Password = crypto.HashSHA256(password)
 	return db.Save(user).Error
 }