diff --git a/browserid/lib/db.js b/browserid/lib/db.js
index 6fb423216f13468910988ca75ce101ab227c5dcc..4545f2f71ea37ce55692d7ffee2892a45fb0a40b 100644
--- a/browserid/lib/db.js
+++ b/browserid/lib/db.js
@@ -103,7 +103,8 @@ exports.onReady = function(f) {
   'checkAuth',
   'listEmails',
   'removeEmail',
-  'cancelAccount'
+  'cancelAccount',
+  'updatePassword'
 ].forEach(function(fn) {
   exports[fn] = function() {
     checkReady();
diff --git a/browserid/lib/db_json.js b/browserid/lib/db_json.js
index 1e4e7c6acbc7591a23076a48c2246ee9141b804f..961761a9a5302344f967c672fc5d6433da560921 100644
--- a/browserid/lib/db_json.js
+++ b/browserid/lib/db_json.js
@@ -238,6 +238,14 @@ exports.checkAuth = function(email, cb) {
   setTimeout(function() { cb(m) }, 0);
 };
 
+exports.updatePassword = function(email, hash, cb) {
+  var m = jsel.match(":root > object:has(.emails > :val(" + ESC(email) + "))", db);
+  var err = undefined;
+  if (m.length === 0) err = "no such email address";
+  else m[0].password = hash;
+  setTimeout(function() { cb(err) }, 0);
+};
+
 function emailToUserID(email, cb) {
   var id = undefined;
 
diff --git a/browserid/lib/db_mysql.js b/browserid/lib/db_mysql.js
index 04e891f86a9c908e5921344a45026b6815d394d6..06bd219bf904cd91e58c2398abb282bc108de24c 100644
--- a/browserid/lib/db_mysql.js
+++ b/browserid/lib/db_mysql.js
@@ -306,6 +306,16 @@ exports.checkAuth = function(email, cb) {
     });
 }
 
+exports.updatePassword = function(email, hash, cb) {
+  client.query(
+    'UPDATE user SET passwd = ? WHERE id = ( SELECT user FROM email WHERE address = ? )',
+    [ hash, email ],
+    function (err, rows) {
+      if (err) logUnexpectedError(err);
+      cb((err || rows.affectedRows !== 1) ? ("no record with email " + email) : undefined);
+    });
+}
+
 /*
  * list the user's emails.
  *
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 0b32a37e19e554aa0b0c2d34bd80c2f56cc5680d..9cd1bf8b0493d7926ac25f3f3971ff1ae792f4cf 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -385,7 +385,18 @@ function setup(app) {
           if (!req.session) req.session = {};
           setAuthenticatedUser(req.session, req.body.email);
 
-          // if the work factor has changed, update the hash here
+          // if the work factor has changed, update the hash here.  issue #204
+          // NOTE: this runs asynchronously and will not delay the response
+          if (configuration.get('bcrypt_work_factor') != bcrypt.get_rounds(hash)) {
+            logger.info("updating bcrypted password for email " + req.body.email);
+            bcrypt_password(req.body.pass, function(err, hash) {
+              db.updatePassword(req.body.email, hash, function(err) {
+                if (err) {
+                  logger.error("error updating bcrypted password for email " + req.body.email, err);
+                }
+              });
+            });
+          }
         }
         resp.json({ success: success });
       });