diff --git a/irc/handlers.go b/irc/handlers.go
index c9300920..95935bf3 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -166,6 +166,12 @@ func authenticateHandler(server *Server, client *Client, msg ircmsg.Message, rb
 
 	// start new sasl session
 	if session.sasl.mechanism == "" {
+		throttled, remainingTime := client.loginThrottle.Touch()
+		if throttled {
+			rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), fmt.Sprintf(client.t("Please wait at least %v and try again"), remainingTime))
+			return false
+		}
+
 		mechanism := strings.ToUpper(msg.Params[0])
 		_, mechanismIsEnabled := EnabledSaslMechanisms[mechanism]
 
@@ -247,12 +253,6 @@ func authPlainHandler(server *Server, client *Client, session *Session, value []
 		return false
 	}
 
-	throttled, remainingTime := client.loginThrottle.Touch()
-	if throttled {
-		rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), fmt.Sprintf(client.t("Please wait at least %v and try again"), remainingTime))
-		return false
-	}
-
 	// see #843: strip the device ID for the benefit of clients that don't
 	// distinguish user/ident from account name
 	if strudelIndex := strings.IndexByte(authcid, '@'); strudelIndex != -1 {
@@ -347,12 +347,6 @@ func authScramHandler(server *Server, client *Client, session *Session, value []
 
 	// first message? if so, initialize the SCRAM conversation
 	if session.sasl.scramConv == nil {
-		throttled, remainingTime := client.loginThrottle.Touch()
-		if throttled {
-			rb.Add(nil, server.name, ERR_SASLFAIL, client.Nick(), fmt.Sprintf(client.t("Please wait at least %v and try again"), remainingTime))
-			continueAuth = false
-			return false
-		}
 		session.sasl.scramConv = server.accounts.NewScramConversation()
 	}