diff --git a/models/record.go b/models/record.go
index f646d9f3..d8dbff4b 100644
--- a/models/record.go
+++ b/models/record.go
@@ -586,6 +586,11 @@ func (m *Record) SetLastVerificationSentAt(dateTime types.DateTime) error {
 	return nil
 }
 
+// PasswordHash returns the "passwordHash" auth record data value.
+func (m *Record) PasswordHash() string {
+	return m.GetString(schema.FieldNamePasswordHash)
+}
+
 // ValidatePassword validates a plain password against the auth record password.
 //
 // Returns false if the password is incorrect or record is not from an auth collection.
@@ -594,10 +599,8 @@ func (m *Record) ValidatePassword(password string) bool {
 		return false
 	}
 
-	err := bcrypt.CompareHashAndPassword(
-		[]byte(m.GetString(schema.FieldNamePasswordHash)),
-		[]byte(password),
-	)
+	err := bcrypt.CompareHashAndPassword([]byte(m.PasswordHash()), []byte(password))
+
 	return err == nil
 }
 
diff --git a/models/record_test.go b/models/record_test.go
index 79059481..86fc8b17 100644
--- a/models/record_test.go
+++ b/models/record_test.go
@@ -1603,6 +1603,20 @@ func TestRecordLastVerificationSentAt(t *testing.T) {
 	}
 }
 
+func TestRecordPasswordHash(t *testing.T) {
+	m := models.NewRecord(&models.Collection{})
+
+	if v := m.PasswordHash(); v != "" {
+		t.Errorf("Expected PasswordHash() to be empty, got %v", v)
+	}
+
+	m.Set(schema.FieldNamePasswordHash, "test")
+
+	if v := m.PasswordHash(); v != "test" {
+		t.Errorf("Expected PasswordHash() to be 'test', got %v", v)
+	}
+}
+
 func TestRecordValidatePassword(t *testing.T) {
 	// 123456
 	hash := "$2a$10$YKU8mPP8sTE3xZrpuM.xQuq27KJ7aIJB2oUeKPsDDqZshbl5g5cDK"