diff --git a/db-models/posts.js b/db-models/posts.js
index 3adbfaeb..d0d3c68d 100644
--- a/db-models/posts.js
+++ b/db-models/posts.js
@@ -14,6 +14,11 @@ module.exports = {
 		// get all thread posts (posts with null thread id)
 		const threads = await db.collection(board).find({
 			'thread': null
+		},{
+			'projection': {
+				'salt': 0,
+				'password': 0
+			}
 		}).sort({
 			'bumped': -1
 		}).skip(10*(page-1)).limit(10).toArray();
@@ -22,8 +27,11 @@ module.exports = {
 		await Promise.all(threads.map(async thread => {
 			const replies = await db.collection(board).find({
 				'thread': thread._id
-			}, {
-				'projection': { 'salt': 0 }
+			},{
+				'projection': {
+					'salt': 0,
+					'password': 0,
+				}
 			}).sort({
 				'_id': -1
 			}).limit(3).toArray();
@@ -45,7 +53,10 @@ module.exports = {
 			db.collection(board).findOne({
 				'_id': id
 			}, {
-				'projection': { 'salt': 0 } //projection to hide salts
+				'projection': {
+					'salt': 0,
+					'password': 0
+				}
 			}),
 			module.exports.getThreadPosts(board, id)
 		])
@@ -66,7 +77,10 @@ module.exports = {
 		return db.collection(board).find({
 			'thread': id
 		}, {
-			'projection': { 'salt': 0 } //projection to hide salts
+			'projection': {
+				'salt': 0 ,
+				'password': 0
+			}
 		}).sort({
 			'_id': 1
 		}).toArray();
@@ -79,31 +93,42 @@ module.exports = {
 		return db.collection(board).find({
 			'thread': null
 		}, {
-			'projection': { 'salt': 0 } //projection to hide salts
+			'projection': {
+				'salt': 0,
+				'password': 0
+			}
 		}).toArray();
 
 	},
 
-	getPost: async (board, id, salt) => {
+	getPost: async (board, id, admin) => {
 
 		// get a post
 		return db.collection(board).findOne({
 			'_id': id
 		}, {
-			'projection': { 'salt': salt || false } //projection to hide salts
+			'projection': {
+				'salt': admin || false,
+				'password': admin || false
+				//only reveal passwords when admin is true (e.g. getting to check salt)
+			}
 		});
 
 	},
 
 	//takes array "ids" of post ids
-	getPosts: async(board, ids) => {
+	getPosts: async(board, ids, admin) => {
 
 		return db.collection(board).find({
 			'_id': {
 				'$in': ids
 			}
 		}, {
-			'projection': { 'salt': 0 } //projection to hide salts
+			'projection': {
+				'salt': admin || false,
+				'password': admin || false
+				//only reveal passwords when admin is true (e.g. when fetching for deletion)
+			}
 		}).toArray();
 
 	},
diff --git a/models/api/delete-post.js b/models/api/delete-post.js
index 73898bc6..311f7ceb 100644
--- a/models/api/delete-post.js
+++ b/models/api/delete-post.js
@@ -11,7 +11,7 @@ module.exports = async (req, res) => {
 	//get all posts that were checked
 	let posts;
 	try {
-		posts = await Posts.getPosts(req.params.board, req.body.checked);
+		posts = await Posts.getPosts(req.params.board, req.body.checked, true); //admin arument true, fetches passwords and salts
 	} catch (err) {
 		console.error(err);
 		return res.status(500).render('error');