diff --git a/pkg/api/user.go b/pkg/api/user.go
index 649f71e..7480e85 100644
--- a/pkg/api/user.go
+++ b/pkg/api/user.go
@@ -95,7 +95,7 @@ func login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	expiresIn := utils.ClampCookieAge(*credentials.ExpiresIn)
+	expiresIn := utils.ClampCookieAge(credentials.ExpiresIn)
 
 	if credentials.Username != "" && credentials.Password != "" {
 		access, userUUID, role := loginHelper(w, *credentials, db.Role(0))
@@ -128,7 +128,12 @@ func login(w http.ResponseWriter, r *http.Request) {
 			ExpiresIn: credentials.ExpiresIn,
 		}, r.URL.Path)
 		return
-	} else if credentials.Passphrase == config.Credentials.Passphrase {
+	} else if credentials.Passphrase != "" {
+		if config.Credentials.Passphrase != credentials.Passphrase {
+			errorHandler(w, http.StatusUnauthorized, "", r.URL.Path)
+			return
+		}
+
 		passphraseCookie := http.Cookie{
 			Name:     "mtsu.jwt",
 			Value:    "Passphrase " + credentials.Passphrase,
diff --git a/pkg/utils/validations.go b/pkg/utils/validations.go
index 613986f..fbfc48a 100644
--- a/pkg/utils/validations.go
+++ b/pkg/utils/validations.go
@@ -22,8 +22,12 @@ const minCookieAge = 60
 const maxCookieAge = 365 * 24 * 60 * 60 // year in seconds
 
 // ClampCookieAge returns a valid cookie age in seconds.
-func ClampCookieAge(seconds int64) int64 {
-	return Clamp(seconds, minCookieAge, maxCookieAge)
+func ClampCookieAge(seconds *int64) int64 {
+	if seconds == nil {
+		return maxCookieAge
+	}
+
+	return Clamp(*seconds, minCookieAge, maxCookieAge)
 }
 
 // IsValidSessionName checks if the session name is valid.