diff --git a/rhodecode/authentication/plugins/auth_rhodecode.py b/rhodecode/authentication/plugins/auth_rhodecode.py
--- a/rhodecode/authentication/plugins/auth_rhodecode.py
+++ b/rhodecode/authentication/plugins/auth_rhodecode.py
@@ -114,7 +114,7 @@ class RhodeCodeAuthPlugin(RhodeCodeAuthP
             crypto_backend = auth.crypto_backend()
             password_encoded = safe_str(password)
             password_match, new_hash = crypto_backend.hash_check_with_upgrade(
-                password_encoded, userobj.password)
+                password_encoded, userobj.password or '')
 
             if password_match and new_hash:
                 log.debug('user %s properly authenticated, but '
diff --git a/rhodecode/model/user.py b/rhodecode/model/user.py
--- a/rhodecode/model/user.py
+++ b/rhodecode/model/user.py
@@ -256,8 +256,9 @@ class UserModel(BaseModel):
             log_create_user, check_allowed_create_user)
 
         def _password_change(new_user, password):
+            old_password = new_user.password or ''
             # empty password
-            if not new_user.password:
+            if not old_password:
                 return False
 
             # password check is only needed for RhodeCode internal auth calls
@@ -269,7 +270,7 @@ class UserModel(BaseModel):
                 if new_user.password == password:
                     return False
 
-                password_match = check_password(password, new_user.password)
+                password_match = check_password(password, old_password)
                 if not password_match:
                     return True