Not sure that will work though as I'm using SHA1 encryption and my understanding is that the system can't decrypt passwords, and since the encrypted value doesn't match the number of characters in the actual password, I can't match that either. Not to worry, I may just use the POST value - the chances are if a user inputs an incorrect password, it would probably be a similar length to the real password and they'd be told to update it anyway, which probably isn't a bad thing.