diff --git a/application/dashlet.class.inc.php b/application/dashlet.class.inc.php
index dbc231878..bd5cebe50 100644
--- a/application/dashlet.class.inc.php
+++ b/application/dashlet.class.inc.php
@@ -733,7 +733,8 @@ abstract class DashletGroupBy extends Dashlet
 			if (is_subclass_of($sAttType, 'AttributeFriendlyName')) continue;
 			if ($sAttType == 'AttributeExternalField') continue;
 			if (is_subclass_of($sAttType, 'AttributeExternalField')) continue;
-
+			if ($sAttType == 'AttributeOneWayPassword') continue;
+			
 			$sLabel = $this->oModelReflection->GetLabel($sClass, $sAttCode);
 			$aGroupBy[$sAttCode] = $sLabel;
 
diff --git a/application/displayblock.class.inc.php b/application/displayblock.class.inc.php
index 042e7a285..36ec3c687 100644
--- a/application/displayblock.class.inc.php
+++ b/application/displayblock.class.inc.php
@@ -397,7 +397,7 @@ class DisplayBlock
 			{
 				if (isset($aExtraParams['group_by_label']))
 				{
-					$oGroupByExp = Expression::FromOQL($aExtraParams['group_by']);
+					$oGroupByExp = Expression::FromOQL($aExtraParams['group_by']);					
 					$sGroupByLabel = $aExtraParams['group_by_label'];
 				}
 				else
@@ -408,6 +408,21 @@ class DisplayBlock
 					$sGroupByLabel = MetaModel::GetLabel($this->m_oFilter->GetClass(), $aExtraParams['group_by']);
 				}
 
+				// Security filtering
+				$aFields = $oGroupByExp->ListRequiredFields();
+				foreach($aFields as $sFieldAlias)
+				{
+					if (preg_match('/^([^.]+)\\.([^.]+)$/', $sFieldAlias, $aMatches))
+					{
+						$sFieldClass = $this->m_oFilter->GetClassName($aMatches[1]);
+						$oAttDef = MetaModel::GetAttributeDef($sFieldClass, $aMatches[2]);
+						if ($oAttDef instanceof AttributeOneWayPassword)
+						{
+							throw new Exception('Grouping on password fields is not supported.');
+						}
+					}
+				}
+				
 				$aGroupBy = array();
 				$aGroupBy['grouped_by_1'] = $oGroupByExp;
 				$sSql = $this->m_oFilter->MakeGroupByQuery($aQueryParams, $aGroupBy, true);