update_with_password doesn't change encrypted password when it is invalid

closes #2130

lib/devise/models/database_authenticatable.rb

@@ -64,6 +64,7 @@ module Devise
         result = if valid_password?(current_password)
           update_attributes(params, *options)
         else
+          params.delete(:password)
           self.assign_attributes(params, *options)
           self.valid?
           self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)

test/models/database_authenticatable_test.rb

@@ -108,6 +108,13 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_match "is invalid", user.errors[:current_password].join
   end
 
+  test 'should not change encrypted password when it is invalid' do
+    user = create_user
+    assert_not user.update_with_password(:current_password => 'other',
+      :password => 'pass4321', :password_confirmation => 'pass4321')
+    assert_not user.encrypted_password_changed?
+  end
+
   test 'should add an error to current password when it is blank' do
     user = create_user
     assert_not user.update_with_password(:password => 'pass4321',