diff --git a/hub/api/api.go b/hub/api/api.go
index 1790932..0922f30 100644
--- a/hub/api/api.go
+++ b/hub/api/api.go
@@ -127,7 +127,7 @@ func (a *API) Session_SignIn(pwd string) (Session, error) {
 		return Session{}, errs.ErrUnexpected
 	}
 	if err := bcrypt.CompareHashAndPassword(conf.Password, []byte(pwd)); err != nil {
-		return Session{}, errs.NotAuthorized.WithMsg("Not authorized.")
+		return Session{}, errs.ErrNotAuthorized
 	}
 
 	a.sessionsMu.Lock()
diff --git a/hub/errs/types.go b/hub/errs/types.go
index 86a8c9e..6ba9b1f 100644
--- a/hub/errs/types.go
+++ b/hub/errs/types.go
@@ -15,9 +15,12 @@ func (e *Error) Error() string {
 }
 
 var (
-	ErrUnexpected    = Internal.WithMsg("Unexpected internal error.")
-	ErrNotFound      = NotFound.WithMsg("Not found.")
-	ErrAlreadyExists = Conflict.WithMsg("Already exists.")
+	ErrNotAuthorized    = NotAuthorized.WithMsg("Not authorized.")
+	ErrInvalidPassword  = BadRequest.WithMsg("Invalid password.")
+	ErrPasswordMismatch = BadRequest.WithMsg("Passwords don't match.")
+	ErrUnexpected       = Internal.WithMsg("Unexpected internal error.")
+	ErrNotFound         = NotFound.WithMsg("Not found.")
+	ErrAlreadyExists    = Conflict.WithMsg("Already exists.")
 
 	// Validation errors.
 	ErrInvalidIP       = BadRequest.WithMsg("Invalid IP.")
diff --git a/hub/handlers.go b/hub/handlers.go
index 80fb16c..7c9686c 100644
--- a/hub/handlers.go
+++ b/hub/handlers.go
@@ -2,9 +2,10 @@ package hub
 
 import (
 	"encoding/json"
-	"errors"
+	"log"
 	"net/http"
 	"vppn/hub/api"
+	"vppn/hub/errs"
 	"vppn/m"
 
 	"git.crumpington.com/lib/go/webutil"
@@ -234,21 +235,22 @@ func (a *App) _adminPasswordSubmit(s *api.Session, w http.ResponseWriter, r *htt
 	}
 
 	if len(newPwd) < 8 {
-		return errors.New("password is too short")
+		return errs.ErrInvalidPassword
 	}
 
 	if newPwd != newPwd2 {
-		return errors.New("passwords don't match")
+		return errs.ErrPasswordMismatch
 	}
 
 	err = bcrypt.CompareHashAndPassword(conf.Password, []byte(curPwd))
 	if err != nil {
-		return err
+		return errs.ErrNotAuthorized
 	}
 
 	hash, err := bcrypt.GenerateFromPassword([]byte(newPwd), bcrypt.DefaultCost)
 	if err != nil {
-		return err
+		log.Printf("Failed to hash password with bcrypt: %v", err)
+		return errs.ErrUnexpected
 	}
 
 	conf.Password = hash