diff --git a/clientapi/auth/password.go b/clientapi/auth/password.go
index bcb4ca97b..890b18183 100644
--- a/clientapi/auth/password.go
+++ b/clientapi/auth/password.go
@@ -68,6 +68,12 @@ func (t *LoginTypePassword) Login(ctx context.Context, req interface{}) (*Login,
 			JSON: jsonerror.BadJSON("A username must be supplied."),
 		}
 	}
+	if len(r.Password) == 0 {
+		return nil, &util.JSONResponse{
+			Code: http.StatusUnauthorized,
+			JSON: jsonerror.BadJSON("A password must be supplied."),
+		}
+	}
 	localpart, err := userutil.ParseUsernameParam(username, &t.Config.Matrix.ServerName)
 	if err != nil {
 		return nil, &util.JSONResponse{
diff --git a/userapi/storage/shared/storage.go b/userapi/storage/shared/storage.go
index 09eeedc9f..4e28f7b5a 100644
--- a/userapi/storage/shared/storage.go
+++ b/userapi/storage/shared/storage.go
@@ -75,7 +75,7 @@ func (d *Database) GetAccountByPassword(
 	if err != nil {
 		return nil, err
 	}
-	if hash == "" {
+	if len(hash) == 0 && len(plaintextPassword) > 0 {
 		return nil, bcrypt.ErrHashTooShort
 	}
 	if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {