diff --git a/Conduit/Conduit.Web/Users/Handlers/GetCurrentUserHandler.cs b/Conduit/Conduit.Web/Users/Handlers/GetCurrentUserHandler.cs
index f98d697a7a..175e3136bc 100644
--- a/Conduit/Conduit.Web/Users/Handlers/GetCurrentUserHandler.cs
+++ b/Conduit/Conduit.Web/Users/Handlers/GetCurrentUserHandler.cs
@@ -18,6 +18,8 @@ public GetCurrentUserHandler(IAuthService authService, IUserDataService userData
 
     public async Task<GetCurrentUserResult> Handle(GetCurrentUserRequest request, CancellationToken cancellationToken)
     {
+        // TODO: the whole user could be put into a JWT token, which would mean a database call could be skipped
+
         var usernameClaim = _authService.GetUsernameClaim(request.BearerToken);
         if (usernameClaim.IsNotFound)
             return new GetCurrentUserResult { IsInvalidToken = true };
diff --git a/Conduit/Conduit.Web/Users/Services/AuthService.cs b/Conduit/Conduit.Web/Users/Services/AuthService.cs
index 8a490ff731..8d80ddd825 100644
--- a/Conduit/Conduit.Web/Users/Services/AuthService.cs
+++ b/Conduit/Conduit.Web/Users/Services/AuthService.cs
@@ -18,8 +18,6 @@ public AuthService(IOptions<JwtSecrets> jwtSecrets)
 
     public string GenerateJwtToken(string email, string username)
     {
-        // TODO: put username in claim too?
-
         var claims = new[]
         {
             new Claim(ClaimTypes.Email, email),
@@ -42,7 +40,7 @@ public string GenerateJwtToken(string email, string username)
 
     public bool DoesPasswordMatch(string submittedPassword, string passwordFromDatabase, string passwordSalt)
     {
-        return HashPassword(submittedPassword, passwordSalt) == passwordFromDatabase;
+        return BCrypt.Net.BCrypt.Verify(submittedPassword, passwordFromDatabase);
     }
 
     public string HashPassword(string password, string passwordSalt)