diff --git a/common/models/user.js b/common/models/user.js
index 5ef2ad2f..f3a5b23b 100644
--- a/common/models/user.js
+++ b/common/models/user.js
@@ -501,7 +501,13 @@ module.exports = function(User) {
     this.settings.ttl = this.settings.ttl || DEFAULT_TTL;
 
     UserModel.setter.password = function(plain) {
-      this.$password = this.constructor.hashPassword(plain);
+      if (plain.indexOf('$2a$') === 0 && plain.length === 60) {
+        // The password is already hashed. It can be the case
+        // when the instance is loaded from DB
+        this.$password = plain;
+      } else {
+        this.$password = this.constructor.hashPassword(plain);
+      }
     };
 
     // Make sure emailVerified is not set by creation
diff --git a/test/user.test.js b/test/user.test.js
index 6caeb34d..82703299 100644
--- a/test/user.test.js
+++ b/test/user.test.js
@@ -137,6 +137,13 @@ describe('User', function() {
       assert(u.password !== 'bar');
     });
 
+    it('does not hash the password if it\'s already hashed', function() {
+      var u1 = new User({username: 'foo', password: 'bar'});
+      assert(u1.password !== 'bar');
+      var u2 = new User({username: 'foo', password: u1.password});
+      assert(u2.password === u1.password);
+    });
+
     describe('custom password hash', function() {
       var defaultHashPassword;
       var defaultValidatePassword;