diff --git a/vault/core_test.go b/vault/core_test.go
index 1347b6615b..11e410a124 100644
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -1308,3 +1308,39 @@ func TestCore_HandleRequest_InternalData(t *testing.T) {
 		t.Fatalf("bad: %#v", lresp)
 	}
 }
+
+// Ensure login does not return a secret
+func TestCore_HandleLogin_ReturnSecret(t *testing.T) {
+	// Create a badass credential backend that always logs in as armon
+	noopBack := &NoopBackend{
+		Login: []string{"login"},
+		Response: &logical.Response{
+			Secret: &logical.Secret{},
+			Auth: &logical.Auth{
+				Policies: []string{"foo", "bar"},
+			},
+		},
+	}
+	c, _, root := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(map[string]string) (logical.Backend, error) {
+		return noopBack, nil
+	}
+
+	// Enable the credential backend
+	req := logical.TestRequest(t, logical.WriteOperation, "sys/auth/foo")
+	req.Data["type"] = "noop"
+	req.ClientToken = root
+	_, err := c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Attempt to login
+	lreq := &logical.Request{
+		Path: "auth/foo/login",
+	}
+	_, err = c.HandleRequest(lreq)
+	if err != ErrInternalError {
+		t.Fatalf("err: %v", err)
+	}
+}