diff --git a/system/config/system.yaml b/system/config/system.yaml
index 59f4b36a9..0288d962c 100644
--- a/system/config/system.yaml
+++ b/system/config/system.yaml
@@ -71,3 +71,6 @@ debugger:
 images:
   default_image_quality: 85            # Default image quality to use when resampling images (85%)
   debug: false                         # Show an overlay over images indicating the pixel depth of the image when working with retina for example
+
+security:
+  default_hash: $2y$10$kwsyMVwM8/7j0K/6LHT.g.Fs49xOCTp2b8hh/S5.dPJuJcJB6T.UK
diff --git a/system/src/Grav/Common/User/User.php b/system/src/Grav/Common/User/User.php
index fb9fd21f8..13dc5d8e8 100644
--- a/system/src/Grav/Common/User/User.php
+++ b/system/src/Grav/Common/User/User.php
@@ -55,11 +55,23 @@ class User extends Data
     {
         $save = false;
 
+        // Plain-text is still stored
         if ($this->password) {
-            $save = true;
 
-            $this->hashed_password = Authentication::create($this->password);
-            unset($this->password);
+            if ($password !== $this->password) {
+                // Plain-text passwords do not match, we know we should fail but execute
+                // verify to protect us from timing attacks and return false regardless of
+                // the result
+                Authentication::verify($password, self::getGrav()['config']->get('system.security.default_hash'));
+                return false;
+            }  else {
+                // Plain-text does match, we can update the hash and proceed
+                $save = true;
+
+                $this->hashed_password = Authentication::create($this->password);
+                unset($this->password);
+            }
+
         }
 
         $result = Authentication::verify($password, $this->hashed_password);