diff --git a/freeze.go b/freeze.go
index 5f0e9f9..06d0c8a 100644
--- a/freeze.go
+++ b/freeze.go
@@ -256,7 +256,9 @@ func NewServerFromFrozen(filename string) (s *Server, err os.Error) {
 
 		s.Users[u.Id] = u
 		s.UserNameMap[u.Name] = u
-		s.UserCertMap[u.CertHash] = u
+		if len(u.CertHash) > 0 {
+			s.UserCertMap[u.CertHash] = u
+		}
 	}
 
 	return s, nil
diff --git a/server.go b/server.go
index 596b81c..c9f4415 100644
--- a/server.go
+++ b/server.go
@@ -351,7 +351,7 @@ func (server *Server) handleAuthenticate(client *Client, msg *Message) {
 	}
 
 	// Did we get a username?
-	if auth.Username == nil {
+	if auth.Username == nil || len(*auth.Username) == 0 {
 		client.RejectAuth("InvalidUsername", "Please specify a username to log in")
 		return
 	}
@@ -392,16 +392,16 @@ func (server *Server) handleAuthenticate(client *Client, msg *Message) {
 		// First look up registration by name.
 		user, exists := server.UserNameMap[client.Username]
 		if exists {
-			if user.CertHash == client.CertHash {
+			if len(client.CertHash) > 0 && user.CertHash == client.CertHash {
 				client.user = user
 			} else {
-				client.Panic("Invalid cert hash for user")
+				client.RejectAuth("WrongUserPW", "Wrong certificate hash")
 				return
 			}
 		}
 
 		// Name matching didn't do.  Try matching by certificate.
-		if client.user == nil {
+		if client.user == nil && len(client.CertHash) > 0 {
 			user, exists := server.UserCertMap[client.CertHash]
 			if exists {
 				client.user = user