diff --git a/src/server.js b/src/server.js
index 33dc41743..29014730a 100644
--- a/src/server.js
+++ b/src/server.js
@@ -112,7 +112,7 @@ function initializeExpressSync() {
 
     // cloudron routes
     router.get ('/api/v1/cloudron/config', cloudronScope, routes.cloudron.getConfig);
-    router.post('/api/v1/cloudron/update', cloudronScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.cloudron.update);
+    router.post('/api/v1/cloudron/update', cloudronScope, routes.user.requireAdmin, routes.cloudron.update);
     router.post('/api/v1/cloudron/check_for_updates', cloudronScope, routes.user.requireAdmin, routes.cloudron.checkForUpdates);
     router.post('/api/v1/cloudron/reboot', cloudronScope, routes.user.requireAdmin, routes.cloudron.reboot);
     router.post('/api/v1/cloudron/migrate', cloudronScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.cloudron.migrate);
@@ -184,7 +184,7 @@ function initializeExpressSync() {
     router.post('/api/v1/apps/:id/uninstall', appsScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.apps.uninstallApp);
     router.post('/api/v1/apps/:id/configure', appsScope, routes.user.requireAdmin, routes.apps.configureApp);
     router.post('/api/v1/apps/:id/update',    appsScope, routes.user.requireAdmin, routes.apps.updateApp);
-    router.post('/api/v1/apps/:id/restore',   appsScope, routes.user.requireAdmin, routes.apps.restoreApp);
+    router.post('/api/v1/apps/:id/restore',   appsScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.apps.restoreApp);
     router.post('/api/v1/apps/:id/backup',    appsScope, routes.user.requireAdmin, routes.apps.backupApp);
     router.get ('/api/v1/apps/:id/backups',   appsScope, routes.user.requireAdmin, routes.apps.listBackups);
     router.post('/api/v1/apps/:id/stop',      appsScope, routes.user.requireAdmin, routes.apps.stopApp);
diff --git a/webadmin/src/index.html b/webadmin/src/index.html
index c5cb9faa8..6a0854155 100644
--- a/webadmin/src/index.html
+++ b/webadmin/src/index.html
@@ -130,14 +130,6 @@
                         <div ng-hide="config.provider !== 'caas' && config.update.box.upgrade">
                             <fieldset>
                                 <form name="update_form" role="form" ng-submit="doUpdate()" autocomplete="off">
-                                    <div class="form-group" ng-class="{ 'has-error': (update_form.password.$dirty && update_form.password.$invalid) || (!update_form.password.$dirty && update.error.password) }">
-                                        <label class="control-label" for="inputUpdatePassword">Give your password to verify that you are performing that action</label>
-                                        <div class="control-label" ng-show="(update_form.password.$dirty && update_form.password.$invalid) || (!update_form.password.$dirty && update.error.password)">
-                                            <small ng-show=" update_form.password.$dirty && update_form.password.$invalid">Password required</small>
-                                            <small ng-show="!update_form.password.$dirty && update.error.password">Wrong password</small>
-                                        </div>
-                                        <input type="password" class="form-control" ng-model="update.password" id="inputUpdatePassword" name="password" placeholder="Password" required autofocus>
-                                    </div>
                                     <input class="ng-hide" type="submit" ng-disabled="update_form.$invalid || update.busy"/>
                                 </form>
                             </fieldset>
diff --git a/webadmin/src/js/client.js b/webadmin/src/js/client.js
index cb8ddfd75..84c01d620 100644
--- a/webadmin/src/js/client.js
+++ b/webadmin/src/js/client.js
@@ -345,10 +345,9 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
         }).error(defaultErrorHandler(callback));
     };
 
-    Client.prototype.configureApp = function (id, password, config, callback) {
+    Client.prototype.configureApp = function (id, config, callback) {
         var data = {
             appId: id,
-            password: password,
             location: config.location,
             portBindings: config.portBindings,
             accessRestriction: config.accessRestriction,
@@ -367,10 +366,9 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
         }).error(defaultErrorHandler(callback));
     };
 
-    Client.prototype.updateApp = function (id, manifest, portBindings, password, callback) {
+    Client.prototype.updateApp = function (id, manifest, portBindings, callback) {
         var data =  {
             appStoreId: manifest.id + '@' + manifest.version,
-            password: password,
             portBindings: portBindings
         };
 
@@ -821,8 +819,8 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
         }).error(defaultErrorHandler(callback));
     };
 
-    Client.prototype.update = function (password, callback) {
-        var data = { password: password };
+    Client.prototype.update = function (callback) {
+        var data = { };
 
         post('/api/v1/cloudron/update', data).success(function(data, status) {
             if (status !== 202 || typeof data !== 'object') return callback(new ClientError(status, data));
diff --git a/webadmin/src/js/main.js b/webadmin/src/js/main.js
index 82df3bb98..199310138 100644
--- a/webadmin/src/js/main.js
+++ b/webadmin/src/js/main.js
@@ -12,8 +12,7 @@ angular.module('Application').controller('MainController', ['$scope', '$route',
 
     $scope.update = {
         busy: false,
-        error: {},
-        password: ''
+        error: {}
     };
 
     $scope.isActive = function (url) {
@@ -77,8 +76,6 @@ angular.module('Application').controller('MainController', ['$scope', '$route',
 
     $scope.showUpdateModal = function (form) {
         $scope.update.error.generic = null;
-        $scope.update.error.password = null;
-        $scope.update.password = '';
 
         form.$setPristine();
         form.$setUntouched();
@@ -98,21 +95,12 @@ angular.module('Application').controller('MainController', ['$scope', '$route',
 
     $scope.doUpdate = function () {
         $scope.update.error.generic = null;
-        $scope.update.error.password = null;
 
         $scope.update.busy = true;
-        Client.update($scope.update.password, function (error) {
+        Client.update(function (error) {
             if (error) {
-                if (error.statusCode === 403) {
-                    $scope.update.error.password = true;
-                    $scope.update.password = '';
-                    $scope.update_form.password.$setPristine();
-                    $('#inputUpdatePassword').focus();
-                } else if (error.statusCode === 409) {
+                if (error.statusCode === 409) {
                     $scope.update.error.generic = 'Please try again later. The Cloudron is creating a backup at the moment.';
-                    $scope.update.password = '';
-                    $scope.update_form.password.$setPristine();
-                    $('#inputUpdatePassword').focus();
                 } else {
                     $scope.update.error.generic = error.message;
                     console.error('Unable to update.', error);
diff --git a/webadmin/src/views/apps.html b/webadmin/src/views/apps.html
index 66c45dc92..5dafad113 100644
--- a/webadmin/src/views/apps.html
+++ b/webadmin/src/views/apps.html
@@ -57,8 +57,6 @@
                             </ng-form>
                         </div>
 
-                        <br/>
-
                         <div class="form-group" ng-show="appConfigure.customAuth && !appConfigure.app.manifest.addons.email">
                             <label class="control-label">User management</label>
                             <p>
@@ -162,16 +160,6 @@
                             </div>
                         </div>
 
-                        <br/>
-                        <br/>
-                        <div class="form-group" ng-class="{ 'has-error': (appConfigureForm.password.$dirty && appConfigureForm.password.$invalid) || (!appConfigureForm.password.$dirty && appConfigure.error.password) }">
-                            <label class="control-label" for="appConfigurePasswordInput">Provide your password to confirm this action</label>
-                            <div class="control-label" ng-show="(appConfigureForm.password.$dirty && appConfigureForm.password.$invalid) || (!appConfigureForm.password.$dirty && appConfigure.error.password)">
-                                <small ng-show=" appConfigureForm.password.$dirty && appConfigureForm.password.$invalid">Password required</small>
-                                <small ng-show="!appConfigureForm.password.$dirty && appConfigure.error.password">Wrong password</small>
-                            </div>
-                            <input type="password" class="form-control" ng-model="appConfigure.password" id="appConfigurePasswordInput" name="password" required>
-                        </div>
                         <input class="ng-hide" type="submit" ng-disabled="appConfigureForm.$invalid || appConfigure.busy || (appConfigure.accessRestrictionOption === 'groups' && !appConfigure.isAccessRestrictionValid()) || (appConfigure.usingAltDomain && !appConfigure.isAltDomainValid())"/>
                     </form>
                 </fieldset>
@@ -328,10 +316,6 @@
                                 </div>
                             </ng-form>
                         </div>
-                        <div class="form-group" ng-class="{ 'has-error': (!appUpdateForm.password.$dirty && appUpdate.error.password) || (appUpdateForm.password.$dirty && appUpdateForm.password.$invalid) }">
-                            <label class="control-label" for="inputUpdatePassword">Provide your password to confirm this action</label>
-                            <input type="password" class="form-control" ng-model="appUpdate.password" id="inputUpdatePassword" name="password" required autofocus>
-                        </div>
                         <input class="ng-hide" type="submit" ng-disabled="appUpdateForm.$invalid || busy"/>
                     </form>
                 </fieldset>
diff --git a/webadmin/src/views/apps.js b/webadmin/src/views/apps.js
index cca239fa9..6847db981 100644
--- a/webadmin/src/views/apps.js
+++ b/webadmin/src/views/apps.js
@@ -20,7 +20,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         location: '',
         usingAltDomain: false,
         advancedVisible: false,
-        password: '',
         portBindings: {},
         portBindingsEnabled: {},
         portBindingsInfo: {},
@@ -88,7 +87,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         busy: false,
         error: {},
         app: {},
-        password: '',
         manifest: {},
         portBindings: {}
     };
@@ -108,7 +106,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appConfigure.location = '';
         $scope.appConfigure.advancedVisible = false;
         $scope.appConfigure.usingAltDomain = false;
-        $scope.appConfigure.password = '';
         $scope.appConfigure.portBindings = {};          // This is the actual model holding the env:port pair
         $scope.appConfigure.portBindingsEnabled = {};   // This is the actual model holding the enabled/disabled flag
         $scope.appConfigure.certificateFile = null;
@@ -138,7 +135,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         // reset update dialog
         $scope.appUpdate.error = {};
         $scope.appUpdate.app = {};
-        $scope.appUpdate.password = '';
         $scope.appUpdate.manifest = {};
         $scope.appUpdate.portBindings = {};
 
@@ -250,7 +246,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appConfigure.busy = true;
         $scope.appConfigure.error.other = null;
         $scope.appConfigure.error.location = null;
-        $scope.appConfigure.error.password = null;
         $scope.appConfigure.error.xFrameOptions = null;
 
         // only use enabled ports from portBindings
@@ -274,7 +269,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
             enableBackup: $scope.appConfigure.enableBackup
         };
 
-        Client.configureApp($scope.appConfigure.app.id, $scope.appConfigure.password, data, function (error) {
+        Client.configureApp($scope.appConfigure.app.id, data, function (error) {
             if (error) {
                 if (error.statusCode === 409 && (error.message.indexOf('is reserved') !== -1 || error.message.indexOf('is already in use') !== -1)) {
                     $scope.appConfigure.error.port = error.message;
@@ -282,11 +277,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
                     $scope.appConfigure.error.location = 'This name is already taken.';
                     $scope.appConfigureForm.location.$setPristine();
                     $('#appConfigureLocationInput').focus();
-                } else if (error.statusCode === 403) {
-                    $scope.appConfigure.error.password = true;
-                    $scope.appConfigure.password = '';
-                    $scope.appConfigureForm.password.$setPristine();
-                    $('#appConfigurePasswordInput').focus();
                 } else if (error.statusCode === 400 && error.message.indexOf('cert') !== -1 ) {
                     $scope.appConfigure.error.cert = error.message;
                     $scope.appConfigure.certificateFileName = '';
@@ -483,7 +473,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
     };
 
     $scope.doUpdate = function (form) {
-        $scope.appUpdate.error.password = null;
         $scope.appUpdate.busy = true;
 
         // only use enabled ports from portBindings
@@ -494,15 +483,11 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
             }
         }
 
-        Client.updateApp($scope.appUpdate.app.id, $scope.appUpdate.manifest, finalPortBindings, $scope.appUpdate.password, function (error) {
-            if (error && error.statusCode === 403) {
-                $scope.appUpdate.password = '';
-                $scope.appUpdate.error.password = true;
-            } else if (error) {
+        Client.updateApp($scope.appUpdate.app.id, $scope.appUpdate.manifest, finalPortBindings, function (error) {
+            if (error) {
                 Client.error(error);
             } else {
                 $scope.appUpdate.app = {};
-                $scope.appUpdate.password = '';
 
                 form.$setPristine();
                 form.$setUntouched();