diff --git a/docs/en/04_Changelogs/3.5.6.md b/docs/en/04_Changelogs/3.5.6.md
new file mode 100644
index 000000000..ad6d2bf17
--- /dev/null
+++ b/docs/en/04_Changelogs/3.5.6.md
@@ -0,0 +1,32 @@
+# 3.5.6
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829](https://github.com/silverstripe/silverstripe-framework/commit/6ba00e829a9fb360dfe5cb0bc3d4544016c82357) Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [25e276cf3](https://github.com/silverstripe/silverstripe-framework/commit/25e276cf3784dc1ab3a38252192ccd61f9d63121) user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f](https://github.com/silverstripe/silverstripe-framework/commit/22ccf3e2f9092f51e7f7288ce108598c6f17b49c) Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d](https://github.com/silverstripe/silverstripe-framework/commit/0f2049d4d466e05f5d7f07fc63580836de8c6bff) SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Bugfixes
+
+ * 2017-11-30 [84d7afb34](https://github.com/silverstripe/silverstripe-framework/commit/84d7afb3477885e9d69f2ac10838179efc1d3b91) Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1](https://github.com/silverstripe/silverstripe-framework/commit/09a003bc13390359fa717a4256f9278303d59544) deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d](https://github.com/silverstripe/silverstripe-framework/commit/2ad3cc07d583041e23a5dca0d53ffbdf8c9cd0d0) Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-16 [dda14e895](https://github.com/silverstripe/silverstripe-framework/commit/dda14e89596a0de0b70eace27f7015bc0bb40669) HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3](https://github.com/silverstripe/silverstripe-framework/commit/52f0eadd3b1ad37806a95b6dd05427add3166cc5) for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in &lt;img&gt; tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f](https://github.com/silverstripe/silverstripe-framework/commit/ce3fd370fb07ffc18742323b0dd99f30cf28cf14) ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec](https://github.com/silverstripe/silverstripe-framework/commit/1053de7ec39d1a2ce6826ea2db8f55114755098d) Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559](https://github.com/silverstripe/silverstripe-framework/commit/cbac3755909bc5d72d923b07747fd6a98e2215dc) Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e](https://github.com/silverstripe/silverstripe-framework/commit/32cef975ef6c816d8b5bc953cffbd18492686281) Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123](https://github.com/silverstripe/silverstripe-framework/commit/264cec1239ee8d75e67c5402970a91cf58e50539) Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c](https://github.com/silverstripe/silverstripe-framework/commit/2f579b64cb9cb8986489e312b253dba5061e304b) Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6](https://github.com/silverstripe/silverstripe-framework/commit/00f1ad5d692f0a44b58bb216e5378e51dc96243d) Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10](https://github.com/silverstripe/silverstripe-framework/commit/805c38f107e7e332d2846407e0a89cade1d33ed1) don't try and switch out of context of the tab system (Stevie Mayhew)
diff --git a/docs/en/04_Changelogs/3.6.3.md b/docs/en/04_Changelogs/3.6.3.md
new file mode 100644
index 000000000..2e28aa093
--- /dev/null
+++ b/docs/en/04_Changelogs/3.6.3.md
@@ -0,0 +1,34 @@
+# 3.6.3
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829](https://github.com/silverstripe/silverstripe-framework/commit/6ba00e829a9fb360dfe5cb0bc3d4544016c82357) Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [db54112f3](https://github.com/silverstripe/silverstripe-framework/commit/db54112f3cca012e33257c782dffd7154bf663a5) user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f](https://github.com/silverstripe/silverstripe-framework/commit/22ccf3e2f9092f51e7f7288ce108598c6f17b49c) Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d](https://github.com/silverstripe/silverstripe-framework/commit/0f2049d4d466e05f5d7f07fc63580836de8c6bff) SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Bugfixes
+
+ * 2017-12-05 [8477de15](https://github.com/silverstripe/silverstripe-siteconfig/commit/8477de15203c4c80ca55365200fa3c7c031d70d8) Remove unused Behat tests from 3.6 branch (Robbie Averill)
+ * 2017-11-30 [84d7afb34](https://github.com/silverstripe/silverstripe-framework/commit/84d7afb3477885e9d69f2ac10838179efc1d3b91) Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1](https://github.com/silverstripe/silverstripe-framework/commit/09a003bc13390359fa717a4256f9278303d59544) deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d](https://github.com/silverstripe/silverstripe-framework/commit/2ad3cc07d583041e23a5dca0d53ffbdf8c9cd0d0) Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-22 [ef6d86f2c](https://github.com/silverstripe/silverstripe-framework/commit/ef6d86f2c695d319f9c07ccd9f4d93e83263e356) Allow lowercase and uppercase delcaration of legacy Int class (Daniel Hensby)
+ * 2017-11-16 [dda14e895](https://github.com/silverstripe/silverstripe-framework/commit/dda14e89596a0de0b70eace27f7015bc0bb40669) HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3](https://github.com/silverstripe/silverstripe-framework/commit/52f0eadd3b1ad37806a95b6dd05427add3166cc5) for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in &lt;img&gt; tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f](https://github.com/silverstripe/silverstripe-framework/commit/ce3fd370fb07ffc18742323b0dd99f30cf28cf14) ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec](https://github.com/silverstripe/silverstripe-framework/commit/1053de7ec39d1a2ce6826ea2db8f55114755098d) Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559](https://github.com/silverstripe/silverstripe-framework/commit/cbac3755909bc5d72d923b07747fd6a98e2215dc) Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e](https://github.com/silverstripe/silverstripe-framework/commit/32cef975ef6c816d8b5bc953cffbd18492686281) Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123](https://github.com/silverstripe/silverstripe-framework/commit/264cec1239ee8d75e67c5402970a91cf58e50539) Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c](https://github.com/silverstripe/silverstripe-framework/commit/2f579b64cb9cb8986489e312b253dba5061e304b) Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6](https://github.com/silverstripe/silverstripe-framework/commit/00f1ad5d692f0a44b58bb216e5378e51dc96243d) Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10](https://github.com/silverstripe/silverstripe-framework/commit/805c38f107e7e332d2846407e0a89cade1d33ed1) don't try and switch out of context of the tab system (Stevie Mayhew)
diff --git a/docs/en/04_Changelogs/rc/3.5.6-rc1.md b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
new file mode 100644
index 000000000..765adb95c
--- /dev/null
+++ b/docs/en/04_Changelogs/rc/3.5.6-rc1.md
@@ -0,0 +1,31 @@
+# 3.5.6-rc1
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829]() Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [25e276cf3]() user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f]() Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+
+### Bugfixes
+
+ * 2017-11-30 [84d7afb34]() Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1]() deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d]() Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-16 [dda14e895]() HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3]() for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in &lt;img&gt; tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f]() ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec]() Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559]() Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e]() Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123]() Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c]() Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6]() Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10]() don't try and switch out of context of the tab system (Stevie Mayhew)
diff --git a/docs/en/04_Changelogs/rc/3.6.3-rc2.md b/docs/en/04_Changelogs/rc/3.6.3-rc2.md
new file mode 100644
index 000000000..8889b2951
--- /dev/null
+++ b/docs/en/04_Changelogs/rc/3.6.3-rc2.md
@@ -0,0 +1,34 @@
+# 3.6.3-rc2
+
+<!--- Changes below this line will be automatically regenerated -->
+
+## Change Log
+
+### Security
+
+ * 2017-11-30 [6ba00e829]() Prevent disclosure of sensitive information via LoginAttempt (Damian Mooyman) - See [ss-2017-009](http://www.silverstripe.org/download/security-releases/ss-2017-009)
+ * 2017-11-30 [db54112f3]() user agent invalidation on session startup (Damian Mooyman) - See [ss-2017-006](http://www.silverstripe.org/download/security-releases/ss-2017-006)
+ * 2017-11-29 [22ccf3e2f]() Ensure xls formulae are safely sanitised on output (Damian Mooyman) - See [ss-2017-007](http://www.silverstripe.org/download/security-releases/ss-2017-007)
+ * 2017-11-21 [0f2049d4d]() SQL injection in search engine (Daniel Hensby) - See [ss-2017-008](http://www.silverstripe.org/download/security-releases/ss-2017-008)
+
+### Bugfixes
+
+ * 2017-12-05 [8477de15](https://github.com/silverstripe/silverstripe-siteconfig/commit/8477de15203c4c80ca55365200fa3c7c031d70d8) Remove unused Behat tests from 3.6 branch (Robbie Averill)
+ * 2017-11-30 [84d7afb34]() Use baseDataClass for allVersions as with other methods (Daniel Hensby)
+ * 2017-11-24 [09a003bc1]() deprecated usage of getMock in unit tests (Daniel Hensby)
+ * 2017-11-23 [2ad3cc07d]() Update meber passwordencryption to default on password change (Daniel Hensby)
+ * 2017-11-22 [ef6d86f2c]() Allow lowercase and uppercase delcaration of legacy Int class (Daniel Hensby)
+ * 2017-11-16 [dda14e895]() HTTP::get_mime_type with uppercase filenames. (Roman Schmid)
+ * 2017-11-16 [52f0eadd3]() for #7606: Ensure the object we're handling is actually an Image instance before calling methods specific to that class (e.g. in case of using SVG's in &lt;img&gt; tag which may be File instances). (Patrick Nelson)
+ * 2017-11-15 [ce3fd370f]() ManyMany link table joined with LEFT JOIN (Daniel Hensby)
+ * 2017-11-09 [1053de7ec]() Don't redirect in force_redirect() in CLI (Damian Mooyman)
+ * 2017-10-25 [cbac37559]() Helpful warning when phpunit bootstrap appears misconfigured (Daniel Hensby)
+ * 2017-10-25 [32cef975e]() Use self::inst() for Injector/Config nest methods (Daniel Hensby)
+ * 2017-10-19 [a73d5b41](https://github.com/silverstripe/silverstripe-cms/commit/a73d5b4177be445128a6fa42e20dd8df13eaf554) revert to this button after archiving (Christopher Joe)
+ * 2017-10-12 [fd39faee](https://github.com/silverstripe/silverstripe-cms/commit/fd39faeefd5241cf96313e968142183de767c51b) UploadField overwriteWarning isn't working in AssetAdmin (Jason)
+ * 2017-10-09 [264cec123]() Dont use var_export for cache key generation as it fails on circular references (Daniel Hensby)
+ * 2017-10-04 [24e190ea](https://github.com/silverstripe/silverstripe-cms/commit/24e190ea8265d16445a3210f7b06de191e474004) TreeDropdownField showing broken page icons (fixes silverstripe/silverstripe-framework#7420) (Loz Calver)
+ * 2017-09-12 [0aac4ddb](https://github.com/silverstripe/silverstripe-cms/commit/0aac4ddb7ecf0f17eda8add235017c10c9f57255) Default LoginForm generated from default_authenticator (Daniel Hensby)
+ * 2017-08-13 [2f579b64c]() Files without extensions (folders) do not have a trailing period added (Robbie Averill)
+ * 2017-07-04 [00f1ad5d6]() Fixes #7116 Improves server requirements docs viz: OpCaches. (Russell Michell)
+ * 2016-03-20 [805c38f10]() don't try and switch out of context of the tab system (Stevie Mayhew)
diff --git a/src/Security/Member.php b/src/Security/Member.php
index 34adbb98e..929d60ac3 100644
--- a/src/Security/Member.php
+++ b/src/Security/Member.php
@@ -1716,7 +1716,7 @@ class Member extends DataObject
         $encryption_details = Security::encrypt_password(
             $this->Password,
             $this->Salt,
-            $this->PasswordEncryption ?: Security::config()->get('password_encryption_algorithm'),
+            $this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null,
             $this
         );
 
diff --git a/src/Security/Security.php b/src/Security/Security.php
index d61626971..16ed75207 100644
--- a/src/Security/Security.php
+++ b/src/Security/Security.php
@@ -1161,6 +1161,7 @@ class Security extends Controller implements TemplateGlobalProvider
      * </code>
      * If the passed algorithm is invalid, FALSE will be returned.
      *
+     * @throws PasswordEncryptor_NotFoundException
      * @see encrypt_passwords()
      */
     public static function encrypt_password($password, $salt = null, $algorithm = null, $member = null)
diff --git a/tests/php/Security/MemberTest.php b/tests/php/Security/MemberTest.php
index 7dce42fe0..b75c90155 100644
--- a/tests/php/Security/MemberTest.php
+++ b/tests/php/Security/MemberTest.php
@@ -3,6 +3,7 @@
 namespace SilverStripe\Security\Tests;
 
 use SilverStripe\Control\Cookie;
+use SilverStripe\Core\Config\Config;
 use SilverStripe\Core\Convert;
 use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Dev\FunctionalTest;
@@ -56,6 +57,22 @@ class MemberTest extends FunctionalTest
         Member::set_password_validator(null);
     }
 
+    public function testPasswordEncryptionUpdatedOnChangedPassword()
+    {
+        Config::modify()->set(Security::class, 'password_encryption_algorithm', 'none');
+        $member = Member::create();
+        $member->Password = 'password';
+        $member->write();
+        $this->assertEquals('password', $member->Password);
+        $this->assertEquals('none', $member->PasswordEncryption);
+        Config::modify()->set(Security::class, 'password_encryption_algorithm', 'blowfish');
+        $member->Password = 'newpassword';
+        $member->write();
+        $this->assertNotEquals('password', $member->Password);
+        $this->assertNotEquals('newpassword', $member->Password);
+        $this->assertEquals('blowfish', $member->PasswordEncryption);
+    }
+
     public function testWriteDoesntMergeNewRecordWithExistingMember()
     {
         $this->expectException(ValidationException::class);
@@ -91,8 +108,8 @@ class MemberTest extends FunctionalTest
         $memberWithPassword->Password = 'mypassword';
         $memberWithPassword->write();
         $this->assertEquals(
-            $memberWithPassword->PasswordEncryption,
             Security::config()->get('password_encryption_algorithm'),
+            $memberWithPassword->PasswordEncryption,
             'Password encryption is set for new member records on first write (with setting "Password")'
         );
 
@@ -104,27 +121,6 @@ class MemberTest extends FunctionalTest
         );
     }
 
-    public function testDefaultPasswordEncryptionDoesntChangeExistingMembers()
-    {
-        $member = new Member();
-        $member->Password = 'mypassword';
-        $member->PasswordEncryption = 'sha1_v2.4';
-        $member->write();
-
-        Security::config()->set('password_encryption_algorithm', 'none');
-
-        $member->Password = 'mynewpassword';
-        $member->write();
-
-        $this->assertEquals(
-            $member->PasswordEncryption,
-            'sha1_v2.4'
-        );
-        $auth = new MemberAuthenticator();
-        $result = $auth->checkPassword($member, 'mynewpassword');
-        $this->assertTrue($result->isValid());
-    }
-
     public function testKeepsEncryptionOnEmptyPasswords()
     {
         $member = new Member();
@@ -136,8 +132,8 @@ class MemberTest extends FunctionalTest
         $member->write();
 
         $this->assertEquals(
-            $member->PasswordEncryption,
-            'sha1_v2.4'
+            Security::config()->get('password_encryption_algorithm'),
+            $member->PasswordEncryption
         );
         $auth = new MemberAuthenticator();
         $result = $auth->checkPassword($member, '');