diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc
index 7c0d7c2a76b..1ad95817fbe 100644
--- a/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc
+++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/index.adoc
@@ -34,6 +34,8 @@ public class SecurityConfig {
 
 	@Bean
 	public UserDetailsService userDetailsService() {
+		// User.withDefaultPasswordEncoder() is considered unsafe for production
+		// and is only intended for sample applications.
 		UserDetails userDetails = User.withDefaultPasswordEncoder()
 			.username("user")
 			.password("password")