diff --git a/api/v1beta1/user_types.go b/api/v1beta1/user_types.go
index 16f8f7ca..0a1cf3d1 100644
--- a/api/v1beta1/user_types.go
+++ b/api/v1beta1/user_types.go
@@ -27,12 +27,15 @@ type UserSpec struct {
 	// exist for the User object to be created.
 	// +kubebuilder:validation:Required
 	RabbitmqClusterReference RabbitmqClusterReference `json:"rabbitmqClusterReference"`
-	// Defines a Secret used to pre-define the username and password set for this User. User objects created
-	// with this field set will not have randomly-generated credentials, and will instead import
-	// the username/password values from this Secret.
-	// The Secret must contain the keys `username` and `password` in its Data field, or the import will fail.
-	// Note that this import only occurs at creation time, and is ignored once a password has been set
-	// on a User.
+	// Defines a Secret containing the credentials for the User. If this field is omitted, random a username and
+	// password will be generated. The Secret must have the following keys in its Data field:
+	//
+	//  * `username` – Must be present or the import will fail.
+	//  * `passwordHash` – The SHA-512 hash of the password. If the hash is an empty string, a passwordless user
+	//    will be created. For more information, see https://www.rabbitmq.com/docs/passwords.
+	//  * `password` – Plain-text password. Will be used only if the `passwordHash` key is missing.
+	//
+	// Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
 	ImportCredentialsSecret *corev1.LocalObjectReference `json:"importCredentialsSecret,omitempty"`
 }
 
diff --git a/config/crd/bases/rabbitmq.com_users.yaml b/config/crd/bases/rabbitmq.com_users.yaml
index b534d567..619c82a9 100644
--- a/config/crd/bases/rabbitmq.com_users.yaml
+++ b/config/crd/bases/rabbitmq.com_users.yaml
@@ -43,12 +43,17 @@ spec:
             properties:
               importCredentialsSecret:
                 description: |-
-                  Defines a Secret used to pre-define the username and password set for this User. User objects created
-                  with this field set will not have randomly-generated credentials, and will instead import
-                  the username/password values from this Secret.
-                  The Secret must contain the keys `username` and `password` in its Data field, or the import will fail.
-                  Note that this import only occurs at creation time, and is ignored once a password has been set
-                  on a User.
+                  Defines a Secret containing the credentials for the User. If this field is omitted, random a username and
+                  password will be generated. The Secret must have the following keys in its Data field:
+
+
+                   * `username` – Must be present or the import will fail.
+                   * `passwordHash` – The SHA-512 hash of the password. If the hash is an empty string, a passwordless user
+                     will be created. For more information, see https://www.rabbitmq.com/docs/passwords.
+                   * `password` – Plain-text password. Will be used only if the `passwordHash` key is missing.
+
+
+                  Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
                 properties:
                   name:
                     default: ""
diff --git a/docs/api/rabbitmq.com.ref.asciidoc b/docs/api/rabbitmq.com.ref.asciidoc
index 50b5c41a..6957e54b 100644
--- a/docs/api/rabbitmq.com.ref.asciidoc
+++ b/docs/api/rabbitmq.com.ref.asciidoc
@@ -1411,12 +1411,17 @@ but cannot perform any management actions.
 For more information, see https://www.rabbitmq.com/management.html#permissions.
 | *`rabbitmqClusterReference`* __xref:{anchor_prefix}-github-com-rabbitmq-messaging-topology-operator-api-v1beta1-rabbitmqclusterreference[$$RabbitmqClusterReference$$]__ | Reference to the RabbitmqCluster that the user will be created for. This cluster must
 exist for the User object to be created.
-| *`importCredentialsSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | Defines a Secret used to pre-define the username and password set for this User. User objects created
-with this field set will not have randomly-generated credentials, and will instead import
-the username/password values from this Secret.
-The Secret must contain the keys `username` and `password` in its Data field, or the import will fail.
-Note that this import only occurs at creation time, and is ignored once a password has been set
-on a User.
+| *`importCredentialsSecret`* __link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#localobjectreference-v1-core[$$LocalObjectReference$$]__ | Defines a Secret containing the credentials for the User. If this field is omitted, random a username and
+password will be generated. The Secret must have the following keys in its Data field:
+
+
+ * `username` – Must be present or the import will fail.
+ * `passwordHash` – The SHA-512 hash of the password. If the hash is an empty string, a passwordless user
+   will be created. For more information, see https://www.rabbitmq.com/docs/passwords.
+ * `password` – Plain-text password. Will be used only if the `passwordHash` key is missing.
+
+
+Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
 |===