diff --git a/defaults/main.yml b/defaults/main.yml
index b026a33..931ea93 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -569,6 +569,10 @@ rhel9cis_selinux_enforce: enforcing
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: false
 
+# Either set rhel9cis_bootloader_password_hash or rhel9cis_bootloader_password and rhel9cis_bootloader_salt
+# If you are not using the bootloader hash filter you can set it here if the encrypted format e.g. grub.pbkdf2.sha512.hashstring
+rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+
 # This variable will store the GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value must be changed.
 rhel9cis_bootloader_password: 'password'  # pragma: allowlist secret
 
diff --git a/tasks/main.yml b/tasks/main.yml
index c0d3ba3..4525a74 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -47,7 +47,7 @@
     - rhel9cis_rule_1_4_1
   tags: always
   ansible.builtin.assert:
-    that: rhel9cis_bootloader_password != 'password'   # pragma: allowlist secret
+    that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret
     msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password variable has not been set correctly"
 
 - name: "Check crypto-policy module input"