diff --git a/app/models/user.rb b/app/models/user.rb
index 0b528cbef..a55a3e754 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -320,7 +320,10 @@ class User < ActiveRecord::Base
 
   def password=(password)
     # special case for passwordless accounts
-    @raw_password = password unless password.blank?
+    unless password.blank?
+      @raw_password = password
+      self.auth_token = nil
+    end
   end
 
   def password
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 9e676b149..a204083e0 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -509,18 +509,24 @@ describe User do
   end
 
   describe 'passwords' do
-    before do
+
+    it "should not have an active account with a good password" do
       @user = Fabricate.build(:user, active: false)
       @user.password = "ilovepasta"
       @user.save!
-    end
 
-    it "should have a valid password after the initial save" do
-      expect(@user.confirm_password?("ilovepasta")).to eq(true)
-    end
+      @user.auth_token = SecureRandom.hex(16)
+      @user.save!
 
-    it "should not have an active account after initial save" do
       expect(@user.active).to eq(false)
+      expect(@user.confirm_password?("ilovepasta")).to eq(true)
+
+      old_token = @user.auth_token
+      @user.password = "passwordT"
+      @user.save!
+
+      # must expire old token on password change
+      expect(@user.auth_token).to_not eq(old_token)
     end
   end