diff --git a/lib/wsapi/complete_email_addition.js b/lib/wsapi/complete_email_addition.js
index abd012418bdacfecee0ab3f4d41df2eacf046407..53ddb3625200c603ec1396aceb3b79a415143a07 100644
--- a/lib/wsapi/complete_email_addition.js
+++ b/lib/wsapi/complete_email_addition.js
@@ -23,39 +23,12 @@ exports.process = function(req, res) {
   // 1. you must already be authenticated as the user who initiated the verification
   // 2. you must provide the password of the initiator.
 
-  // TRANSITIONAL CODE COMMENT
-  // for issue 1000 we moved initial password selection to the browserid dialog (from
-  // the verification page).  Rolling out this change causes some temporal pain.
-  // Outstannding verification links sent before the change was deployed will have
-  // email addition requests that require passwords without passwords in the stage table.
-  // When the verification page is loaded for
-  // these links, we prompt the user for a password.  That password is sent up with
-  // the request.  this code and comment should all be purged after the new code
-  // has been in production for 2 weeks.
-
-  var transitionalPassword = null;
-
-  // END TRANSITIONAL CODE COMMENT
-
-
   db.authForVerificationSecret(req.body.token, function(err, initiator_hash, initiator_uid) {
     if (err) {
       logger.info("unknown verification secret: " + err);
       return wsapi.databaseDown(res, err);
     }
 
-    // TRANSITIONAL CODE
-    if (!initiator_hash) {
-      if (!req.body.pass) return httputils.authRequired(res, "password required");
-      var err = wsapi.checkPassword(req.body.pass);
-      if (err) {
-        logger.warn("invalid password received: " + err);
-        return httputils.badRequest(res, err);
-      }
-      transitionalPassword = req.body.pass;
-      postAuthentication();
-    } else
-    // END TRANSITIONAL CODE
     if (req.session.userid === initiator_uid) {
       postAuthentication();
     } else if (typeof req.body.pass === 'string') {
@@ -81,23 +54,6 @@ exports.process = function(req, res) {
         } else {
           wsapi.authenticateSession(req.session, uid, 'password');
           res.json({ success: true });
-
-          // TRANSITIONAL CODE
-          if (transitionalPassword) {
-            wsapi.bcryptPassword(transitionalPassword, function(err, hash) {
-              if (err) {
-                logger.warn("couldn't bcrypt pass for old verification link: " + err);
-                return;
-              }
-
-              db.updatePassword(uid, hash, function(err) {
-                if (err) {
-                  logger.warn("couldn't bcrypt pass for old verification link: " + err);
-                }
-              });
-            });
-          }
-          // END TRANSITIONAL CODE
         }
       });
     };
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index eab3381d8574a61f50bb6111b550b24619c2ca32..7a65ec488f52322b0010ca8bfd33210324749bcf 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -29,16 +29,6 @@ exports.process = function(req, res) {
   // and then control a browserid account that they can use to prove they own
   // the email address of the attacked.
 
-  // TRANSITIONAL CODE COMMENT
-  // for issue 1000 we moved initial password selection to the browserid dialog (from
-  // the verification page).  Rolling out this change causes some temporal pain.
-  // Outstannding verification links sent before the change was deployed will have
-  // new user requests without passwords.  When the verification page is loaded for
-  // these links, we prompt the user for a password.  That password is sent up with
-  // the request.  this code and comment should all be purged after the new code
-  // has been in production for 2 weeks.
-  // END TRANSITIONAL CODE COMMENT
-
   // is this the same browser?
   if (typeof req.session.pendingCreation === 'string' &&
       req.body.token === req.session.pendingCreation) {
@@ -47,13 +37,6 @@ exports.process = function(req, res) {
   // is a password provided?
   else if (typeof req.body.pass === 'string') {
     return db.authForVerificationSecret(req.body.token, function(err, hash) {
-      // TRANSITIONAL CODE
-      // if hash is null, no password was provided during verification and
-      // this is an old-style verification.  We accept the password and will
-      // update it after the verification is complete.
-      if (err == 'no password for user' || !hash) return postAuthentication();
-      // END TRANSITIONAL CODE
-
       if (err) {
         logger.warn("couldn't get password for verification secret: " + err);
         return wsapi.databaseDown(res, err);
@@ -75,67 +58,33 @@ exports.process = function(req, res) {
   }
 
   function postAuthentication() {
-    // the time the email verification is performed, we'll clear the pendingCreation
-    // data on the session.
-    delete req.session.pendingCreation;
-
     db.haveVerificationSecret(req.body.token, function(err, known) {
       if (err) return wsapi.databaseDown(res, err);
 
-      if (!known) return res.json({ success: false} );
+      if (!known) {
+        // clear the pendingCreation token from the session if we find no such
+        // token in the database
+        delete req.session.pendingCreation;
+        return res.json({ success: false} );
+      }
 
-      // TRANSITIONAL CODE
-      // user is authorized (1 or 2 above) OR user has no password set, in which
-      // case for a short time we'll accept the password provided with the verification
-      // link, and set it as theirs.
-      var transitionalPassword = null;
+      db.gotVerificationSecret(req.body.token, function(err, email, uid) {
+        if (err) {
+          logger.warn("couldn't complete email verification: " + err);
+          wsapi.databaseDown(res, err);
+        } else {
+          // clear the pendingCreation token from the session once we
+          // successfully complete user creation
+          delete req.session.pendingCreation;
 
-      db.authForVerificationSecret(req.body.token, function(err, hash) {
-        if (err == 'no password for user' || !hash) {
-          if (!req.body.pass) return httputils.authRequired(res, "password required");
-          err = wsapi.checkPassword(req.body.pass);
-          if (err) {
-            logger.warn("invalid password received: " + err);
-            return httputils.badRequest(res, err);
-          }
-          transitionalPassword = req.body.pass;
+          // At this point, the user is either on the same browser with a token from
+          // their email address, OR they've provided their account password.  It's
+          // safe to grant them an authenticated session.
+          wsapi.authenticateSession(req.session, uid, 'password',
+                                    config.get('ephemeral_session_duration_ms'));
+          res.json({ success: true });
         }
-        completeCreation();
       });
-      // END TRANSITIONAL CODE
-
-      function completeCreation() {
-        db.gotVerificationSecret(req.body.token, function(err, email, uid) {
-          if (err) {
-            logger.warn("couldn't complete email verification: " + err);
-            wsapi.databaseDown(res, err);
-          } else {
-            // FIXME: not sure if we want to do this (ba)
-            // at this point the user has set a password associated with an email address
-            // that they've verified.  We create an authenticated session.
-            wsapi.authenticateSession(req.session, uid, 'password',
-                                      config.get('ephemeral_session_duration_ms'));
-            res.json({ success: true });
-
-            // TRANSITIONAL CODE
-            if (transitionalPassword) {
-              wsapi.bcryptPassword(transitionalPassword, function(err, hash) {
-                if (err) {
-                  logger.warn("couldn't bcrypt pass for old verification link: " + err);
-                  return;
-                }
-
-                db.updatePassword(uid, hash, function(err) {
-                  if (err) {
-                    logger.warn("couldn't bcrypt pass for old verification link: " + err);
-                  }
-                });
-              });
-            }
-            // END TRANSITIONAL CODE
-          }
-        });
-      }
     });
   }
 };