I think this is a much better solution:
if params[:user][:password].blank? && params[:user][:password_confirmation].blank?
params[:user].delete(:password)
params[:user].delete(:password_confirmation)
end
This prevents you from having to change the Devise controller by simply removing the password field from the form response if it is blank.
Just be sure to use this before @user.attributes = params[:user]
or whatever you use in your update
action to set the new parameters from the form.