diff --git a/doc/security.mdwn b/doc/security.mdwn
index febf609b0..286f65934 100644
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -8,7 +8,7 @@ Here is an overview of how user passwords are currently being stored in Plinth.
 
 1. We check if the username or password is empty. If so, return an error message.
 
-2. Use bcrypt (from passlib) to encrypt the password and generate a random salt. This step is performed regardless of whether the user already exists.
+2. Use bcrypt (from passlib) to encrypt the password and generate a random salt.
 
 3. If the password length is over 4096, bcrypt raises an exception. We catch this exception and return an error message.
 
diff --git a/modules/installed/lib/auth.py b/modules/installed/lib/auth.py
index 732fccf2b..97fecaf05 100644
--- a/modules/installed/lib/auth.py
+++ b/modules/installed/lib/auth.py
@@ -23,29 +23,27 @@ def add_user(username, passphrase, name='', email='', expert=False):
     if not username: error = "Must specify a username!"
     if not passphrase: error = "Must specify a passphrase!"
 
-    if error is None:
-        # hash the password whether the user exists, to foil timing
-        # side-channel attacks
-        try:
-            pass_hash = bcrypt.encrypt(passphrase)
-        except PasswordSizeError:
-            error = "Password is too long."
-
     if error is None:
         if username in map(lambda x: x[0], cfg.users.get_all()):
             error = "User already exists!"
         else:
-            di = {
-                'username':username,
-                'name':name,
-                'email':email,
-                'expert':'on' if expert else 'off',
-                'groups':['expert'] if expert else [],
-                'passphrase':pass_hash,
-                'salt':pass_hash[7:29], # for bcrypt
-            }
-            new_user = User(di)
-            cfg.users.set(username,new_user)
+            try:
+                pass_hash = bcrypt.encrypt(passphrase)
+            except PasswordSizeError:
+                error = "Password is too long."
+
+    if error is None:
+        di = {
+            'username':username,
+            'name':name,
+            'email':email,
+            'expert':'on' if expert else 'off',
+            'groups':['expert'] if expert else [],
+            'passphrase':pass_hash,
+            'salt':pass_hash[7:29], # for bcrypt
+        }
+        new_user = User(di)
+        cfg.users.set(username,new_user)
 
     if error:
         cfg.log(error)