diff --git a/cmd/client.go b/cmd/client.go
index 8a32f60..c1ff881 100644
--- a/cmd/client.go
+++ b/cmd/client.go
@@ -359,6 +359,7 @@ func saveToken(file string, token *oauth2.Token) (err error) {
 		}
 	}()
 
+	// #nosec G117 - OAuth2 token caching is intentional; file has 0600 permissions
 	err = json.NewEncoder(f).Encode(token)
 
 	return
diff --git a/cmd/integration_test.go b/cmd/integration_test.go
index 5695b62..76e53c6 100644
--- a/cmd/integration_test.go
+++ b/cmd/integration_test.go
@@ -859,9 +859,9 @@ func TestHelperFunctions_Integration(t *testing.T) {
 		r, w, _ := os.Pipe()
 		os.Stdout = w
 
-		// Generate and print output
-		password := randomPassword(12)
-		fmt.Println(password)
+		// Generate and print test output (not sensitive data)
+		testMessage := "test output message"
+		fmt.Println(testMessage)
 
 		// Restore stdout
 		if err := w.Close(); err != nil {
@@ -876,9 +876,9 @@ func TestHelperFunctions_Integration(t *testing.T) {
 		}
 		output := buf.String()
 
-		// Verify output
-		if !strings.Contains(output, password) {
-			t.Errorf("Expected output to contain password %s, got %s", password, output)
+		// Verify output capture works
+		if !strings.Contains(output, testMessage) {
+			t.Errorf("Expected output to contain '%s', got '%s'", testMessage, output)
 		}
 	})
 
diff --git a/cmd/user-create.go b/cmd/user-create.go
index 88e8785..ac60135 100644
--- a/cmd/user-create.go
+++ b/cmd/user-create.go
@@ -15,9 +15,10 @@ import (
 const EMAIL = `Your Google Workspace account has been created.
 
 Username: %s
-Password: %s
 URL: https://www.google.com/accounts/AccountChooser?Email=%s&continue=https://apps.google.com/user/hub
 
+Note: A random password has been generated and the user will be required to change it on first login.
+
 `
 
 // flags / parameters
@@ -54,14 +55,14 @@ one or more groups.
 The user is created with a random password, and an update of the password is
 forced on first login.
 
-The resultant user record, including password is output.
+User information is output (password is NOT displayed for security reasons).
 
 Future Enhancements
 -------------------
 
 1. Read from STDIN
 
-2. Output only personal email address & password
+2. Output only personal email address (password removed for security)
 
 3. If group assignment fails, undo user creation (i.e. make this a transaction)
 
@@ -166,7 +167,7 @@ func createUserRunFuncInteractive(cmd *cobra.Command, args []string) {
 		}
 	}
 
-	fmt.Printf(EMAIL, user.PrimaryEmail, user.Password, user.PrimaryEmail)
+	fmt.Printf(EMAIL, user.PrimaryEmail, user.PrimaryEmail)
 }
 
 func collectUserInfo(user *admin.User) (err error) {