diff --git a/src/users.js b/src/users.js
index eeb69063f..6d149d32a 100644
--- a/src/users.js
+++ b/src/users.js
@@ -40,7 +40,7 @@ const STORAGE_KEYS = {
  * @property {string} handle - The user's short handle. Used for directories and other references
  * @property {string} name - The user's name. Displayed in the UI
  * @property {number} created - The timestamp when the user was created
- * @property {string} password - SHA256 hash of the user's password
+ * @property {string} password - Scrypt hash of the user's password
  * @property {string} salt - Salt used for hashing the password
  * @property {boolean} enabled - Whether the user is enabled
  * @property {boolean} admin - Whether the user is an admin (can manage other users)
@@ -372,13 +372,13 @@ function getCookieSessionName() {
 }
 
 /**
- * Hashes a password using SHA256.
+ * Hashes a password using scrypt with the provided salt.
  * @param {string} password Password to hash
  * @param {string} salt Salt to use for hashing
  * @returns {string} Hashed password
  */
 function getPasswordHash(password, salt) {
-    return crypto.createHash('sha256').update(password + salt).digest('hex');
+    return crypto.scryptSync(password.normalize(), salt, 64).toString('base64');
 }
 
 /**