diff --git a/app/models/user.rb b/app/models/user.rb
index ab520d7b..05a50581 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -123,8 +123,8 @@ class User < ActiveRecord::Base
     return nil if candidate.nil?
 
     if Tracks::Config.auth_schemes.include?('database')
-      return candidate if candidate.auth_type == 'database' &&
-        BCrypt::Password.new(candidate.crypted_password) == pass
+      return candidate if candidate.auth_type == 'database' and
+        candidate.password_matches? pass
     end
     
     if Tracks::Config.auth_schemes.include?('ldap')
@@ -216,6 +216,14 @@ class User < ActiveRecord::Base
     crypted_password =~ /^[a-f0-9]{40}$/i
   end
 
+  def password_matches?(pass)
+    if uses_deprecated_password?
+      crypted_password == User.sha1(pass)
+    else
+      BCrypt::Password.new(crypted_password) == pass
+    end
+  end
+
 protected
 
   def self.salted(s)
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index b820fbaf..247ce2c0 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -343,6 +343,19 @@ class UserTest < ActiveSupport::TestCase
     u.change_password("foobar", "foobar")
     assert_nil u.uses_deprecated_password?
   end
+
+  def test_should_authenticate_with_deprecated_password
+    assert_nil User.authenticate('mr_deprecated', 'wrong password')
+    assert_equal users(:user_with_sha1_password),
+      User.authenticate('mr_deprecated', 'foobar')
+  end
+
+  def test_password_matches
+    assert_not_nil User.authenticate(@admin_user.login, "abracadabra")
+    assert_nil User.authenticate(@admin_user.login, "incorrect")
+    assert_not_nil User.authenticate(users(:user_with_sha1_password).login, "foobar")
+    assert_nil User.authenticate(users(:user_with_sha1_password).login, "wrong")
+  end
   
   
   protected