diff --git a/src/routes/users.js b/src/routes/users.js
index fb878f355..0f1eb41ac 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -182,7 +182,7 @@ async function setGhost(req, res, next) {
     if (typeof req.body.password !== 'string' || !req.body.password) return next(new HttpError(400, 'password must be non-empty string'));
     if ('expiresAt' in req.body && typeof req.body.password !== 'number') return next(new HttpError(400, 'expiresAt must be a number'));
 
-    const [error] = await safe(users.setGhost(req.resource, req.body.password, req.body.expiresAt || null));
+    const [error] = await safe(users.setGhost(req.resource, req.body.password, req.body.expiresAt || 0));
     if (error) return next(BoxError.toHttpError(error));
 
     next(new HttpSuccess(204));
diff --git a/src/users.js b/src/users.js
index c62384a5f..a21e45019 100644
--- a/src/users.js
+++ b/src/users.js
@@ -247,8 +247,8 @@ async function add(email, data, auditSource) {
 
 async function setGhost(user, password, expiresAt) {
     assert.strictEqual(typeof user, 'object');
-    assert.strictEqual(typeof newPassword, 'string');
-    assert.strictEqual(typeof auditSource, 'object');
+    assert.strictEqual(typeof password, 'string');
+    assert.strictEqual(typeof expiresAt, 'number');
 
     expiresAt = expiresAt || DEFAULT_GHOST_LIFETIME;