diff --git a/defaults/main.yml b/defaults/main.yml
index d734b6a..a847984 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -563,6 +563,9 @@ rhel9cis_selinux_enforce: enforcing
 # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
 rhel9cis_bootloader_password: password  # pragma: allowlist secret
 
+# Set this value to anything secure to have predictable hashes, which will prevent unnecessary changes
+rhel9cis_bootloader_salt: ''
+
 ## Control 1.4.1
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true
diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
index 2252c26..ec95c16 100644
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@@ -13,7 +13,7 @@
     - NIST800-53R5_AC-3
   ansible.builtin.copy:
     dest: /boot/grub2/user.cfg
-    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash) }}"  # noqa template-instead-of-copy
+    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash | default(rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}"  # noqa template-instead-of-copy
     owner: root
     group: root
     mode: 'go-rwx'