diff --git a/security/entity_provider.rst b/security/entity_provider.rst
index 32cb4460bbb..202fd820332 100644
--- a/security/entity_provider.rst
+++ b/security/entity_provider.rst
@@ -169,6 +169,13 @@ forces the class to have the five following methods:
 
 To learn more about each of these, see :class:`Symfony\\Component\\Security\\Core\\User\\UserInterface`.
 
+.. caution::
+
+    The ``eraseCredentials()`` method is only meant to clean up possibly stored 
+    plain text passwords (or similar credentials). Be careful what to erase 
+    if your user class is also mapped to a database as the modified object 
+    will likely be persisted during the request.
+
 What do the serialize and unserialize Methods do?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~