diff --git a/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java b/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
index 4498226..0c80f26 100644
--- a/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
+++ b/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
@@ -1,5 +1,6 @@
 package org.jeecg.config.shiro;
 
+import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
@@ -118,6 +119,8 @@ public class ShiroRealm extends AuthorizingRealm {
         //如果redis缓存用户信息为空，则通过接口获取用户信息,避免超过两个小时操作中token过期
         if(loginUser==null){
             loginUser = commonAPI.getUserByName(username);
+            //密码二次加密，因为存于redis会泄露
+            loginUser.setPassword(SecureUtil.md5(loginUser.getPassword()));
         }
         if (loginUser == null) {
             throw new AuthenticationException("用户不存在!");
diff --git a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java
index fa34b8d..c3639ce 100644
--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java
@@ -81,7 +81,8 @@ public class LoginController {
         String lowerCaseCaptcha = captcha.toLowerCase();
 		String realKey = MD5Util.MD5Encode(lowerCaseCaptcha+sysLoginModel.getCheckKey(), "utf-8");
 		Object checkCode = redisUtil.get(realKey);
-		if(checkCode==null || !checkCode.equals(lowerCaseCaptcha)) {
+		//当进入登录页时，有一定几率出现验证码错误 #1714
+		if(checkCode==null || !checkCode.toString().equals(lowerCaseCaptcha)) {
 			result.error500("验证码错误");
 			return result;
 		}
@@ -355,7 +356,7 @@ public class LoginController {
 		String syspassword = sysUser.getPassword();
 		String username = sysUser.getUsername();
 		// 生成token
-		String token = JwtUtil.sign(username, syspassword);
+		String token = JwtUtil.sign(username, SecureUtil.md5(syspassword));
         // 设置token缓存有效时间
 		redisUtil.set(CommonConstant.PREFIX_USER_TOKEN + token, token);
 		redisUtil.expire(CommonConstant.PREFIX_USER_TOKEN + token, JwtUtil.EXPIRE_TIME*2 / 1000);
@@ -363,6 +364,7 @@ public class LoginController {
 		//update-begin-author:taoyan date:20200812 for:登录缓存用户信息
 		LoginUser vo = new LoginUser();
 		BeanUtils.copyProperties(sysUser,vo);
+		//密码二次加密，因为存于redis会泄露
 		vo.setPassword(SecureUtil.md5(sysUser.getPassword()));
 		redisUtil.set(CacheConstant.SYS_USERS_CACHE_JWT +":" +token, vo);
 		redisUtil.expire(CacheConstant.SYS_USERS_CACHE_JWT +":" +token, JwtUtil.EXPIRE_TIME*2 / 1000);