diff --git a/api/routes/user.js b/api/routes/user.js
index 63e5da8f3..ae5c13bbe 100644
--- a/api/routes/user.js
+++ b/api/routes/user.js
@@ -119,6 +119,7 @@ function authenticate(req, res, next) {
             }
 
             req.user = result;
+            req.user.password = auth.password;
 
             next();
         });
@@ -146,16 +147,22 @@ function authenticate(req, res, next) {
                 email: result.email
             };
 
+            // attach the password in case it was sent via auth headers
+            var auth = extractCredentialsFromHeaders(req);
+            if (auth && auth.username === result.username) {
+                req.user.password = auth.password;
+            }
+
             next();
         });
     }
 
-    if (req.headers.authorization) {
-        debug('using login authentication');
-        loginAuthenticator(req, res, next);
-    } else if (req.query.auth_token || req.cookies.token) {
+    if (req.query.auth_token || req.cookies.token) {
         debug('using token based authentication');
         tokenAuthenticator(req, res, next);
+    } else if (req.headers.authorization) {
+        debug('using login authentication');
+        loginAuthenticator(req, res, next);
     } else {
         next(new HttpError(401, 'No credentials'));
     }
diff --git a/api/routes/volume.js b/api/routes/volume.js
index 2228c2291..f94f7ffd9 100644
--- a/api/routes/volume.js
+++ b/api/routes/volume.js
@@ -1,6 +1,7 @@
 'use strict';
 
 var HttpError = require('../httperror'),
+    user = require('../user.js'),
     volume = require('../volume.js');
 
 exports = module.exports = {
@@ -46,21 +47,29 @@ function listVolumes(req, res, next) {
 
 function createVolume(req, res, next) {
     if (!req.body.name) {
-        return next(new HttpError(400, 'volume name not specified'));
+        return next(new HttpError(400, 'New volume name not specified'));
     }
 
-    if (volume.get(req.body.name, req.user.username, config)) {
-        return next(new HttpError(409, 'volume already exists'));
+    if (!req.user.password) {
+        return next(new HttpError(400, 'Password not specified'));
     }
 
-    // TODO use real password, would help :-) - Johannes
-    var password = 'foobar1337';
-    volume.create(req.body.name, req.user.username, req.user.email, password, config, function (error, result) {
+    user.verify(req.user.username, req.user.password, function (error, result) {
         if (error) {
-            return next(new HttpError(500, 'volume creation failed: ' + error));
+            return next(new HttpError(401, 'Wrong password entered'));
         }
 
-        res.send(201);
+        if (volume.get(req.body.name, req.user.username, config)) {
+            return next(new HttpError(409, 'Volume already exists'));
+        }
+
+        volume.create(req.body.name, req.user.username, req.user.email, req.user.password, config, function (error, result) {
+            if (error) {
+                return next(new HttpError(500, 'Volume creation failed: ' + error));
+            }
+
+            res.send(201);
+        });
     });
 }
 
diff --git a/webadmin/dashboard.html b/webadmin/dashboard.html
index e2b03c727..5e59b6234 100644
--- a/webadmin/dashboard.html
+++ b/webadmin/dashboard.html
@@ -70,13 +70,19 @@
           <h4 class="modal-title">Create New Volume</h4>
         </div>
         <div class="modal-body">
-          <form id="new-volume-dialog-form" class="form-horizontal" action="/api/v1/volume/create">
+          <form id="new-volume-dialog-form" class="form-horizontal" action="/api/v1/volume/create" autocomplete="off">
             <div class="form-group">
               <label for="name" class="col-lg-2 control-label">Volume Name</label>
               <div class="col-lg-10">
                 <input type="text" class="form-control" id="name" placeholder="Name" name="name">
               </div>
             </div>
+            <div class="form-group">
+              <label for="password" class="col-lg-2 control-label">Password</label>
+              <div class="col-lg-10">
+                <input type="password" class="form-control" id="password" placeholder="Password" name="password">
+              </div>
+            </div>
           </form>
         </div>
         <div class="modal-footer">
@@ -120,6 +126,8 @@
       var token;
       var currentView;
 
+      // global yellowtent object to share data
+      window.yellowtent = {};
 
       // check for token to proceed
       token = $.cookie('token');
@@ -155,6 +163,7 @@
       // get user info to update avatar ui
       $.getJSON('/api/v1/user/info', function (data) {
           $("#user-dropdown-trigger").text("Signed in as " + data.username);
+          window.yellowtent.username = data.username;
       }).fail(function(error) {
         console.error('Unable to get username.', error);
           $("#user-dropdown-trigger").text("Invalid user");
diff --git a/webadmin/volume-client.js b/webadmin/volume-client.js
index a6edfbd80..89f083467 100644
--- a/webadmin/volume-client.js
+++ b/webadmin/volume-client.js
@@ -1,5 +1,9 @@
 "use strict";
 
+function auth(username, password) {
+    return 'Basic ' + $.base64.encode(username + ':' + password);
+}
+
 function createVolume(event) {
     event.preventDefault();
 
@@ -22,13 +26,24 @@ function createVolume(event) {
     $.ajax({
         type: "POST",
         url: form.attr("action"),
+        beforeSend: function (xhr) {
+            var username = window.yellowtent.username;
+            var password = form.find("input[name='password']").val();
+            xhr.setRequestHeader('Authorization', auth(username, password));
+        },
         data: requestBody,
         success: function (data) {
             hideModalDialog();
             getVolumeListing();
         },
-        error: function () {
-            showModalDialog("Create Volume", "failed");
+        error: function (error) {
+            var msg = 'Failed.';
+
+            try {
+                msg = JSON.parse(error.responseText).message;
+            } catch (e) {}
+
+            showModalDialog('Create Volume', msg);
         }
     });
 }