Look at the :except option: http://rails.rubyonrails.org/classes/ActiveRecord/XmlSerialization.html#M000910
If you want to make this default you can just override it in your model:
to_xml(options = {}) super(options.update(:except => [:pw_hash, :pw_salt])) end