diff --git a/object_templates/transport.erb b/object_templates/transport.erb
index be8614b9e13c8ec98d35fd9c406f03cf74d41ae0..7fbc0a73b25561a11d6c7727947c1c4e0e559f70 100644
--- a/object_templates/transport.erb
+++ b/object_templates/transport.erb
@@ -16,7 +16,7 @@ module Puppet::Transport
       context.debug("Checking connection to #{@connection_info[:host]}:#{@connection_info[:port]}")
       # in a real world implementation, the password would be checked by connecting
       # to the target device or checking that an existing connection is still alive
-      raise 'authentication error' if @connection_info[:password] == 'invalid'
+      raise 'authentication error' if @connection_info[:password].unwrap == 'invalid'
     end
 
     # Retrieve facts from the target and return in a hash
diff --git a/object_templates/transport_spec.erb b/object_templates/transport_spec.erb
index 2d5a51069bf3c44e1fc0cb5b709a5802d7d404a9..b15588733da2854b3a31fc196e44f57368a0753c 100644
--- a/object_templates/transport_spec.erb
+++ b/object_templates/transport_spec.erb
@@ -6,11 +6,12 @@ RSpec.describe Puppet::Transport::<%= transport_class %> do
   subject(:transport) { described_class.new(context, connection_info) }
 
   let(:context) { instance_double('Puppet::ResourceApi::BaseContext', 'context') }
+  let(:password) { 'aih6cu6ohvohpahN' }
   let(:connection_info) do
     {
       host: 'api.example.com',
       user: 'admin',
-      password: 'aih6cu6ohvohpahN',
+      password: Puppet::Pops::Types::PSensitiveType::Sensitive.new(password),
     }
   end
 
@@ -30,7 +31,7 @@ RSpec.describe Puppet::Transport::<%= transport_class %> do
     end
 
     context 'with invalid credentials' do
-      let(:connection_info) { super().merge(password: 'invalid') }
+      let(:password) { 'invalid' }
 
       it 'raises an error' do
         expect { transport.verify(context) }.to raise_error RuntimeError, %r{authentication error}