diff --git a/backend/app/api/auth.py b/backend/app/api/auth.py
index 13b070f..fe726ef 100644
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -140,14 +140,14 @@ async def login(
 ):
     result = await db.execute(select(User).where(User.username == form_data.username))
     user = result.scalar_one_or_none()
-    if not user or not user.hashed_password:
+    if not user:
         raise HTTPException(status_code=400, detail="Invalid credentials")
     if user.pocketid_sub is not None:
         raise HTTPException(
             status_code=400,
             detail="Password login is disabled for this account — use your passkey to sign in.",
         )
-    if not verify_password(form_data.password, user.hashed_password):
+    if not user.hashed_password or not verify_password(form_data.password, user.hashed_password):
         raise HTTPException(status_code=400, detail="Invalid credentials")
     token = create_access_token({"sub": str(user.id)})
     return Token(access_token=token, token_type="bearer",