diff --git a/auth/auth.go b/auth/auth.go
index 531154b..089faae 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -103,7 +103,11 @@ func (a *Auth) loginHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
 			return a.templates.Render(ctx, w, r, tplLogin, errData)
 		}
 
-		if err := validateCredentials(ctx, key, password); err != nil {
+		if valid, err := validateCredentials(ctx, key, password); err != nil {
+			errData["error"] = "Internal server error"
+			fmt.Fprintf(a.LogWriter, "auth: validate credentials failed: %v", err)
+			return a.templates.Render(ctx, w, r, tplLogin, errData)
+		} else if !valid {
 			return a.templates.Render(ctx, w, r, tplLogin, errData)
 		}
 
@@ -136,21 +140,21 @@ func (a *Auth) loginHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
 	return nil
 }
 
-func validateCredentials(ctx *authboss.Context, key, password string) error {
+func validateCredentials(ctx *authboss.Context, key, password string) (bool, error) {
 	if err := ctx.LoadUser(key); err != nil {
-		return err
+		return false, err
 	}
 
 	actualPassword, err := ctx.User.StringErr(authboss.StorePassword)
 	if err != nil {
-		return err
+		return false, err
 	}
 
 	if err := bcrypt.CompareHashAndPassword([]byte(actualPassword), []byte(password)); err != nil {
-		return err
+		return false, nil
 	}
 
-	return nil
+	return true, nil
 }
 
 func (a *Auth) logoutHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r *http.Request) error {
diff --git a/auth/auth_test.go b/auth/auth_test.go
index 8eb716b..3eea1b7 100644
--- a/auth/auth_test.go
+++ b/auth/auth_test.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"bytes"
 	"errors"
 	"html/template"
 	"io/ioutil"
@@ -198,6 +199,9 @@ func TestAuth_loginHandlerFunc_POST_AuthenticationFailure(t *testing.T) {
 
 	a, _ := testSetup()
 
+	log := &bytes.Buffer{}
+	a.LogWriter = log
+
 	ctx, w, r, _ := testRequest(a.Authboss, "POST", "username", "john", "password", "1")
 
 	if err := a.loginHandlerFunc(ctx, w, r); err != nil {
@@ -224,9 +228,13 @@ func TestAuth_loginHandlerFunc_POST_AuthenticationFailure(t *testing.T) {
 	}
 
 	body = w.Body.String()
-	if !strings.Contains(body, "invalid username and/or password") {
+	if !strings.Contains(body, "Internal server error") {
 		t.Error("Should have rendered with error")
 	}
+
+	if !bytes.Contains(log.Bytes(), []byte("auth: validate credentials failed:")) {
+		t.Error("Should have logged error message")
+	}
 }
 
 func TestAuth_loginHandlerFunc_POST(t *testing.T) {
@@ -305,17 +313,13 @@ func TestAuth_validateCredentials(t *testing.T) {
 
 	ctx := ab.NewContext()
 
-	if err := validateCredentials(ctx, "", ""); err.Error() != "Failed to load user" {
+	if _, err := validateCredentials(ctx, "", ""); err.Error() != "Failed to load user" {
 		t.Error("Unexpected error:", err)
 	}
 
 	storer.GetErr = ""
 	storer.Users["john"] = authboss.Attributes{"password": "$2a$10$pgFsuQwdhwOdZp/v52dvHeEi53ZaI7dGmtwK4bAzGGN5A4nT6doqm"}
-	if err := validateCredentials(ctx, "john", "b"); err == nil {
-		t.Error("Expected error about passwords mismatch")
-	}
-
-	if err := validateCredentials(ctx, "john", "a"); err != nil {
+	if _, err := validateCredentials(ctx, "john", "a"); err != nil {
 		t.Error("Unexpected error:", err)
 	}
 }