diff --git a/inc/auth.php b/inc/auth.php
index 164ad3df9b533ff6ac05fa5ba7bd84e274b60357..85c8cfd7b8d343409b551a96ada5ac129eb62f28 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -209,8 +209,9 @@ function auth_login($user,$pass,$sticky=false,$silent=false){
                     $auth->useSessionCache($user) &&
                     ($session['time'] >= time()-$conf['auth_security_timeout']) &&
                     ($session['user'] == $user) &&
-                    ($session['pass'] == $pass) &&  //still crypted
+                    ($session['pass'] == sha1($pass)) &&  //still crypted
                     ($session['buid'] == auth_browseruid()) ){
+
                 // he has session, cookie and browser right - let him in
                 $_SERVER['REMOTE_USER'] = $user;
                 $USERINFO = $session['info']; //FIXME move all references to session
@@ -979,7 +980,7 @@ function auth_setCookie($user,$pass,$sticky) {
     }
     // set session
     $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
-    $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
+    $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass);
     $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
     $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
     $_SESSION[DOKU_COOKIE]['auth']['time'] = time();