Restrict attributes in to_xml

Look at the :except option:
http://rails.rubyonrails.org/classes/ActiveRecord/XmlSerialization.html#M000910

If you want to make this default you can just override it in your model:

to_xml(options = {})
  super(options.update(:except => [:pw_hash, :pw_salt]))
end