diff --git a/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs b/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
index df730731a..c15312a72 100644
--- a/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
+++ b/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
@@ -53,7 +53,7 @@ namespace Jellyfin.Server.Implementations.Users
             bool success = false;
 
             // As long as jellyfin supports passwordless users, we need this little block here to accommodate
-            if (!HasPassword(resolvedUser))
+            if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
             {
                 return Task.FromResult(new ProviderAuthenticationResult
                 {
diff --git a/Jellyfin.Server.Implementations/Users/UserManager.cs b/Jellyfin.Server.Implementations/Users/UserManager.cs
index 23646de61..62c4b9b87 100644
--- a/Jellyfin.Server.Implementations/Users/UserManager.cs
+++ b/Jellyfin.Server.Implementations/Users/UserManager.cs
@@ -2,6 +2,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Globalization;
 using System.Linq;
 using System.Runtime.InteropServices.ComTypes;
@@ -617,6 +618,12 @@ namespace Jellyfin.Server.Implementations.Users
         public void UpdatePolicy(Guid userId, UserPolicy policy)
         {
             var user = GetUserById(userId);
+            int? loginAttempts = policy.LoginAttemptsBeforeLockout switch
+            {
+                -1 => null,
+                0 => 3,
+                _ => policy.LoginAttemptsBeforeLockout
+            };
 
             user.MaxParentalAgeRating = policy.MaxParentalRating;
             user.EnableUserPreferenceAccess = policy.EnableUserPreferenceAccess;
@@ -624,9 +631,7 @@ namespace Jellyfin.Server.Implementations.Users
             user.AuthenticationProviderId = policy.AuthenticationProviderId;
             user.PasswordResetProviderId = policy.PasswordResetProviderId;
             user.InvalidLoginAttemptCount = policy.InvalidLoginAttemptCount;
-            user.LoginAttemptsBeforeLockout = policy.LoginAttemptsBeforeLockout == -1
-                ? null
-                : new int?(policy.LoginAttemptsBeforeLockout);
+            user.LoginAttemptsBeforeLockout = loginAttempts;
             user.SetPermission(PermissionKind.IsAdministrator, policy.IsAdministrator);
             user.SetPermission(PermissionKind.IsHidden, policy.IsHidden);
             user.SetPermission(PermissionKind.IsDisabled, policy.IsDisabled);