diff --git a/inc/auth.php b/inc/auth.php
index 7477ae7ef20a1c6fcb861d799fe786937a18103c..037f7e78fa65c46cb793d2942954a4e8a4af5242 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -229,7 +229,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
 
     if(!empty($user)) {
         //usual login
-        if($auth->checkPass($user, $pass)) {
+        if(!empty($pass) && $auth->checkPass($user, $pass)) {
             // make logininfo globally available
             $INPUT->server->set('REMOTE_USER', $user);
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session