diff --git a/lib/db/json.js b/lib/db/json.js
index 6c9555b650f93328ed947c03cc8ba83997ff086c..39683d7eca8e23c8fc07a4e4bb730fd7b908c9fb 100644
--- a/lib/db/json.js
+++ b/lib/db/json.js
@@ -310,7 +310,7 @@ exports.completeConfirmEmail = function(secret, cb) {
           exports.emailToUID(o.email, function(err, uid) {
             if(err) return cb(err, o.email, o.existing_user);
 
-            exports.updatePassword(uid, hash, true, function(err) {
+            exports.updatePassword(uid, hash, false, function(err) {
               cb(err || null, o.email, o.existing_user);
             });
           });
diff --git a/lib/db/mysql.js b/lib/db/mysql.js
index 4c8f1edf36efbd8d10c23e423ac188cd462ba78e..ee9f2ac542397f0964fea7becd1e797e8b39cf91 100644
--- a/lib/db/mysql.js
+++ b/lib/db/mysql.js
@@ -397,7 +397,7 @@ exports.completeConfirmEmail = function(secret, cb) {
     // we're adding or reverifying an email address to an existing user account.  add appropriate
     // entries into email table.
     if (o.passwd) {
-      exports.updatePassword(o.existing_user, o.passwd, true, function(err) {
+      exports.updatePassword(o.existing_user, o.passwd, false, function(err) {
         if (err) return cb('could not set user\'s password');
         addEmailToUser(o.existing_user, o.email, 'secondary', cb);
       });
diff --git a/tests/primary-then-secondary-test.js b/tests/primary-then-secondary-test.js
index 1eb6aaeda15e3cc62ba4954a317ac910291b5989..a0de51402c96f772b12b56c36cf3b6a764d6ffa5 100755
--- a/tests/primary-then-secondary-test.js
+++ b/tests/primary-then-secondary-test.js
@@ -49,6 +49,7 @@ suite.addBatch({
   }
 });
 
+var the_assertion;
 // now let's generate an assertion using this user
 suite.addBatch({
   "generating an assertion": {
@@ -60,6 +61,7 @@ suite.addBatch({
     },
     "and logging in with the assertion succeeds": {
       topic: function(err, assertion)  {
+        the_assertion = assertion;
         wsapi.post('/wsapi/auth_with_assertion', {
           assertion: assertion,
           ephemeral: true
@@ -85,6 +87,32 @@ suite.addBatch({
   }
 });
 
+// this second session, logged in with just the primary, should *not* be
+// invalidated by the addition of a secondary address (and consequent
+// establishment of a password)
+var context2 = {};
+suite.addBatch({
+  "establishing a second session": {
+    topic: function() {
+      wsapi.post('/wsapi/auth_with_assertion', {
+        assertion: the_assertion,
+        ephemeral: true
+      }, context2).call(this);
+    },
+    "works as expected": function(err, r) {
+      assert.strictEqual(JSON.parse(r.body).success, true);
+    },
+    "after waiting for  lastPasswordReset's now() to increment": {
+      topic: function() {
+        // see password-update-test.js for an explanation of this delay
+        setTimeout(this.callback, 2000);
+      },
+      "we've waited long enough": function() {}
+    }
+  }
+});
+
+
 var token;
 // now we have a new account.  let's add a secondary to it
 suite.addBatch({
@@ -238,6 +266,17 @@ suite.addBatch({
   }
 });
 
+// and the second session should still be valid
+suite.addBatch({
+  "second session is still valid": {
+    topic: wsapi.post('/wsapi/prolong_session', {}, context2),
+    "works as expected": function(err, r) {
+      assert.strictEqual(r.code, 200);
+      assert.strictEqual(r.body, "OK");
+    }
+  }
+});
+
 // shut the server down and cleanup
 start_stop.addShutdownBatches(suite);