diff --git a/app/models/user.rb b/app/models/user.rb
index 60ee3fe0..072e2367 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -203,7 +203,7 @@ class User < ApplicationRecord
 
   def self.authenticate(login, password)
     user = find_by_nick(login) || find_by_email(login)
-    if user && user.has_password(password)
+    if user && password && user.has_password(password)
       user
     else
       nil
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 766e0182..6bafe37e 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -32,6 +32,12 @@ describe User do
     it 'can not authenticate with incorrect password' do
       expect(User.authenticate(user.nick, 'foobar')).to be_nil
     end
+    it 'can not authenticate with nil nick' do
+      expect(User.authenticate(nil, 'blahblah')).to be_nil
+    end
+    it 'can not authenticate with nil password' do
+      expect(User.authenticate(user.nick, nil)).to be_nil
+    end
     it 'can not set a password without matching confirmation' do
       user.password = 'abcdefghij'
       user.password_confirmation = 'foobarxyz'