diff --git a/auth/store.go b/auth/store.go
index 6ddeb86e8fb9..b83a8f3dd7df 100644
--- a/auth/store.go
+++ b/auth/store.go
@@ -321,22 +321,26 @@ func (as *authStore) CheckPassword(username, password string) (uint64, error) {
 
 	tx := as.be.BatchTx()
 	tx.Lock()
-	defer tx.Unlock()
 
 	user := getUser(as.lg, tx, username)
 	if user == nil {
+		tx.Unlock()
 		return 0, ErrAuthFailed
 	}
 
 	if user.Options != nil && user.Options.NoPassword {
+		tx.Unlock()
 		return 0, ErrAuthFailed
 	}
 
+	revision := getRevision(tx)
+	tx.Unlock()
+
 	if bcrypt.CompareHashAndPassword(user.Password, []byte(password)) != nil {
 		as.lg.Info("invalid password", zap.String("user-name", username))
 		return 0, ErrAuthFailed
 	}
-	return getRevision(tx), nil
+	return revision, nil
 }
 
 func (as *authStore) Recover(be backend.Backend) {