diff --git a/debian/changelog b/debian/changelog
index 3d831632..5aa1ee03 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-hedera-web (1.406.53) stable; urgency=low
+hedera-web (1.406.54) stable; urgency=low
 
   * Initial Release.
 
diff --git a/package.json b/package.json
index 90e891cc..2d6faf30 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "hedera-web",
-  "version": "1.406.53",
+  "version": "1.406.54",
   "description": "Verdnatura web page",
   "license": "GPL-3.0",
   "repository": {
diff --git a/rest/core/account.php b/rest/core/account.php
index 69992142..819cd79e 100644
--- a/rest/core/account.php
+++ b/rest/core/account.php
@@ -27,6 +27,8 @@ class Account {
 			self::sambaSync($db, $userName, $password);
 		}
 
+		$bcryptPassword = password_hash($password, PASSWORD_BCRYPT);
+		
 		$userId = $db->getValue(
 			'SELECT id FROM account.user WHERE `name` = #',
 			[$userName]
@@ -36,8 +38,11 @@ class Account {
 			[$userId, $password]
 		);
 		$db->query(
-			'UPDATE account.user SET sync = TRUE WHERE id = #',
-			[$userId]
+			'UPDATE account.user SET
+				sync = TRUE,
+				bcryptPassword = #
+				WHERE id = #',
+			[$bcryptPassword, $userId]
 		);
 	}
 
diff --git a/web/service.php b/web/service.php
index 63158958..aef926c2 100644
--- a/web/service.php
+++ b/web/service.php
@@ -119,12 +119,7 @@ abstract class Service {
 	}
 	
 	/**
-	 * Tries to retrieve user credentials from many sources such as POST,
-	 * SESSION or COOKIES. If $_POST['remember'] is defined the user credentials 
-	 * are saved on the client brownser for future logins, cookies names are
-	 * 'vn_user' for the user name and 'vn_pass' for user password, the
-	 * password is encoded using base64_encode() function and should be decoded
-	 * using base64_decode().
+	 * Authenticates the user with it's credentials or token.
 	 *
 	 * return Db\Conn The database connection
 	 */
@@ -132,18 +127,33 @@ abstract class Service {
 		$db = $this->db;
 		$anonymousUser = FALSE;
 		
-		if (isset($_POST['user']) && isset($_POST['password'])) {
+		if (isset($_POST['user']) && !empty($_POST['password'])) {
 			$user = strtolower($_POST['user']);
-			
-			try {
-				$db->query('CALL account.userLogin(#, #)',
-					[$user, $_POST['password']]);
-			} catch (Db\Exception $e) {
-				if ($e->getMessage() == 'INVALID_CREDENTIALS') {
-					sleep(3);
-					throw new BadLoginException();
-				} else
-					throw $e;
+
+			$passwordHash = $db->getValue(
+				'SELECT bcryptPassword FROM account.user
+					WHERE `name` = #',
+				[$user]
+			);
+
+			$passwordOk = !empty($passwordHash)
+				&& password_verify($_POST['password'], $passwordHash);
+
+			// XXX: Compatibility with old MD5 passwords
+			if (empty($passwordHash)) {
+				$md5Password = $db->getValue(
+					'SELECT `password` FROM account.user
+						WHERE `name` = #',
+					[$user]
+				);
+
+				$passwordOk = !empty($md5Password)
+					&& $md5Password == md5($_POST['password']);
+			}
+
+			if (!$passwordOk) {
+				// sleep(3);
+				throw new BadLoginException();
 			}
 		} else {
 			if (isset($_POST['token']) || isset($_GET['token'])) {