diff --git a/lib/wsapi/update_password.js b/lib/wsapi/update_password.js
index b7698696e35f9f4e39cc2640c2a59f22b3b1e7b4..9cbad100ff263c6a7d80f23cf823d20b41f5390d 100644
--- a/lib/wsapi/update_password.js
+++ b/lib/wsapi/update_password.js
@@ -23,6 +23,11 @@ exports.process = function(req, res) {
         return res.json({ success: false });
       }
 
+      if (!success) {
+        logger.info("password update fails, incorrect old password");
+        return res.json({ success: false });
+      }
+
       logger.info("updating password for email " + req.session.authenticatedUser);
       wsapi.bcryptPassword(req.body.newpass, function(err, hash) {
         if (err) {