diff --git a/src/main.rs b/src/main.rs
index 175827d..480fd7a 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -107,24 +107,33 @@ async fn post_update_ldap(mut req: Request<State>) -> tide::Result {
     ldap.simple_bind(&dn, &pass)?.success()?;
 
     // always assume insecure
-    let mut secure = false;
+    let mut pw_keep_same = false;
 
     // get the users current password hash
     let (rs, _res) = ldap.search(&dn,Scope::Base,"(objectClass=*)",vec!["userPassword"])?.success()?;
     if !rs.is_empty() {
         let tmp = SearchEntry::construct(rs[0].clone());
         if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SHA512}") {
-            secure = true;
+            pw_keep_same = true;
         }
     }
-    let mut mods = vec![
-        Mod::Replace(field,  HashSet::from([value]))
-    ];
-
-    if !secure {
+    
+    let mut mods = vec![];
+    
+    // check if the password field itself is being updated
+    let pass_new = if &field != "userPassword" {
+        mods.push(Mod::Replace(field,  HashSet::from([value])));
+        // retain the older password
+        pass
+    } else {
+        pw_keep_same = false;
+        value
+    };
+    
+    if !pw_keep_same {
         let mut hasher = Sha512::new();
 
-        hasher.input_str(&pass);
+        hasher.input_str(&pass_new);
 
         // get it as hex string
         let hex = hasher.result_str();