diff --git a/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html b/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html
index b411298d746..a2a12c6f108 100644
--- a/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html
+++ b/django/contrib/auth/templates/auth/widgets/read_only_password_hash.html
@@ -1,3 +1,5 @@
+<div{% include 'django/forms/widgets/attrs.html' %}>
 {% for entry in summary %}
-<div{% include 'django/forms/widgets/attrs.html' %}><strong>{{ entry.label }}</strong>{% if entry.value %}: {{ entry.value }}{% endif %}
+<strong>{{ entry.label }}</strong>{% if entry.value %}: {{ entry.value }}{% endif %}
 {% endfor %}
+</div>
diff --git a/docs/releases/1.11.1.txt b/docs/releases/1.11.1.txt
index 41f82a0c635..26ff8927315 100644
--- a/docs/releases/1.11.1.txt
+++ b/docs/releases/1.11.1.txt
@@ -30,3 +30,6 @@ Bugfixes
 
 * Prevented ``SessionBase.cycle_key()`` from losing session data if
   ``_session_cache`` isn't populated (:ticket:`28066`).
+
+* Fixed layout of ``ReadOnlyPasswordHashWidget`` (used in the admin's user
+  change page) (:ticket:`28097`).
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index 68bcd892a13..05f1f419612 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -825,6 +825,22 @@ class ReadOnlyPasswordHashTest(SimpleTestCase):
         html = widget.render(name='password', value=None, attrs={})
         self.assertIn(_("No password set."), html)
 
+    @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.PBKDF2PasswordHasher'])
+    def test_render(self):
+        widget = ReadOnlyPasswordHashWidget()
+        value = 'pbkdf2_sha256$100000$a6Pucb1qSFcD$WmCkn9Hqidj48NVe5x0FEM6A9YiOqQcl/83m2Z5udm0='
+        self.assertHTMLEqual(
+            widget.render('name', value, {'id': 'id_password'}),
+            """
+            <div id="id_password">
+                <strong>algorithm</strong>: pbkdf2_sha256
+                <strong>iterations</strong>: 100000
+                <strong>salt</strong>: a6Pucb******
+                <strong>hash</strong>: WmCkn9**************************************
+            </div>
+            """
+        )
+
     def test_readonly_field_has_changed(self):
         field = ReadOnlyPasswordHashField()
         self.assertFalse(field.has_changed('aaa', 'bbb'))