diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index f9ab65dc..8bcebac6 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -221,11 +221,11 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
     if ucfg is None:
         eventlet.sleep(0.05)
         return None
+    if isinstance(passphrase, bytes):
+        bpassphrase = passphrase
+    else:
+        bpassphrase = passphrase.encode('utf8')
     if (user, tenant) in _passcache:
-        if isinstance(passphrase, bytes):
-            bpassphrase = passphrase
-        else:
-            bpassphrase = passphrase.encode('utf8')
         if hashlib.sha256(bpassphrase).digest() == _passcache[(user, tenant)]:
             return authorize(user, element, tenant, operation=operation)
         else:
@@ -260,7 +260,7 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
         # determine failure because there is a delay, valid response will
         # delay as well
         if crypt == crypted:
-            _passcache[(user, tenant)] = hashlib.sha256(passphrase).digest()
+            _passcache[(user, tenant)] = hashlib.sha256(bpassphrase).digest()
             return authorize(user, element, tenant, operation)
     if pam:
         pwe = None
@@ -291,10 +291,6 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
             # user
             usergood = pam.authenticate(user, passphrase, service=_pamservice)
         if usergood:
-            if isinstance(passphrase, bytes):
-                bpassphrase = passphrase
-            else:
-                bpassphrase = passphrase.encode('utf8')
             _passcache[(user, tenant)] = hashlib.sha256(bpassphrase).digest()
             return authorize(user, element, tenant, operation, skipuserobj=False)
     eventlet.sleep(0.05)  # stall even on test for existence of a username