diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 8c9e77ce99e7b888ccc94a20c06a261f9e6d5362..bae2b79b7a7a42407eafebb7cbeac9ce668f755f 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -4,7 +4,16 @@
 const db = require('./db.js'),
       url = require('url'),
       httputils = require('./httputils.js');
-      email = require('./email.js');
+      email = require('./email.js'),
+      crypto = require('crypto');   
+
+// md5 is used to obfuscate passwords simply so we don't store
+// users passwords in plaintext anywhere
+function obfuscatePassword(pass) {
+  var hash = crypto.createHash('sha256');
+  hash.update(pass);
+  return hash.digest('base64');
+}
 
 function checkParams(getArgs, resp, params) {
   try {
@@ -53,6 +62,8 @@ exports.stage_user = function(req, resp) {
   if (!checkParams(getArgs, resp, [ "email", "pass", "pubkey", "site" ])) {
     return;
   }
+   
+  getArgs.pass = obfuscatePassword(getArgs.pass);
 
   try {
     // upon success, stage_user returns a secret (that'll get baked into a url
@@ -102,6 +113,8 @@ exports.authenticate_user = function(req, resp) {
 
   if (!checkParams(getArgs, resp, [ "email", "pass" ])) return;
 
+  getArgs.pass = obfuscatePassword(getArgs.pass);
+
   db.checkAuth(getArgs.email, getArgs.pass, function(rv) {
     if (rv) {
       if (!req.session) req.session = {};