diff --git a/server/handlers_test.go b/server/handlers_test.go
index fb1a05064fe33a84d240ca24fbf814e729467b51..5e2a588d9bfeec3acba6eab5b00fd38e583a44b5 100644
--- a/server/handlers_test.go
+++ b/server/handlers_test.go
@@ -265,7 +265,7 @@ func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {
 	require.NoError(t, err)
 }
 
-func TestPasswordConnectorDataNotEmpty(t *testing.T) {
+func TestHandlePassword(t *testing.T) {
 	t0 := time.Now()
 
 	ctx, cancel := context.WithCancel(context.Background())
@@ -280,33 +280,46 @@ func TestPasswordConnectorDataNotEmpty(t *testing.T) {
 
 	mockConnectorDataTestStorage(t, s.storage)
 
-	u, err := url.Parse(s.issuerURL.String())
-	require.NoError(t, err)
+	makeReq := func(username, password string) *httptest.ResponseRecorder {
+		u, err := url.Parse(s.issuerURL.String())
+		require.NoError(t, err)
 
-	u.Path = path.Join(u.Path, "/token")
-	v := url.Values{}
-	v.Add("scope", "openid offline_access email")
-	v.Add("grant_type", "password")
-	v.Add("username", "test")
-	v.Add("password", "test")
+		u.Path = path.Join(u.Path, "/token")
+		v := url.Values{}
+		v.Add("scope", "openid offline_access email")
+		v.Add("grant_type", "password")
+		v.Add("username", username)
+		v.Add("password", password)
 
-	req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
-	req.SetBasicAuth("test", "barfoo")
+		req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
+		req.SetBasicAuth("test", "barfoo")
 
-	rr := httptest.NewRecorder()
-	s.ServeHTTP(rr, req)
+		rr := httptest.NewRecorder()
+		s.ServeHTTP(rr, req)
 
-	require.Equal(t, 200, rr.Code)
+		return rr
+	}
 
-	// Check that we received expected refresh token
-	var ref struct {
-		Token string `json:"refresh_token"`
+	// Check unauthorized error
+	{
+		rr := makeReq("test", "invalid")
+		require.Equal(t, 401, rr.Code)
 	}
-	err = json.Unmarshal(rr.Body.Bytes(), &ref)
-	require.NoError(t, err)
 
-	newSess, err := s.storage.GetOfflineSessions("0-385-28089-0", "test")
-	require.NoError(t, err)
-	require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
+	// Check that we received expected refresh token
+	{
+		rr := makeReq("test", "test")
+		require.Equal(t, 200, rr.Code)
+
+		var ref struct {
+			Token string `json:"refresh_token"`
+		}
+		err := json.Unmarshal(rr.Body.Bytes(), &ref)
+		require.NoError(t, err)
+
+		newSess, err := s.storage.GetOfflineSessions("0-385-28089-0", "test")
+		require.NoError(t, err)
+		require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
+	}
 }
diff --git a/server/templates.go b/server/templates.go
index 245378918fd96d2a785d9365cdff37222e601fe4..e6ab3a793c754095cad38babdb4558794db8318f 100644
--- a/server/templates.go
+++ b/server/templates.go
@@ -286,6 +286,9 @@ func (t *templates) login(r *http.Request, w http.ResponseWriter, connectors []c
 }
 
 func (t *templates) password(r *http.Request, w http.ResponseWriter, postURL, lastUsername, usernamePrompt string, lastWasInvalid bool, backLink string) error {
+	if lastWasInvalid {
+		w.WriteHeader(http.StatusUnauthorized)
+	}
 	data := struct {
 		PostURL        string
 		BackLink       string