diff --git a/auth/builder_web_auth.ml b/auth/builder_web_auth.ml
index b039803..3aa927d 100644
--- a/auth/builder_web_auth.ml
+++ b/auth/builder_web_auth.ml
@@ -40,9 +40,8 @@ let user_info_of_sexp =
 let h count salt password =
   Pbkdf.pbkdf2 ~prf ~count ~dk_len ~salt ~password:(Cstruct.of_string password)
 
-let hash ~username ~password =
+let hash ?(password_iter=default_count) ~username ~password () =
   let salt = Mirage_crypto_rng.generate 16 in
-  let password_iter = default_count in
   let password_hash = h password_iter salt password in
   { username; password_hash; password_salt = salt; password_iter }
 
diff --git a/bin/builder_db.ml b/bin/builder_db.ml
index 2ec0af4..6e7a9ba 100644
--- a/bin/builder_db.ml
+++ b/bin/builder_db.ml
@@ -125,7 +125,7 @@ let do_migrate dbpath =
 let migrate () dbpath =
   or_die 1 (do_migrate dbpath)
 
-let user_mod action dbpath username =
+let user_mod action dbpath password_iter username =
   let r =
     Caqti_blocking.connect
       (Uri.make ~scheme:"sqlite3" ~path:dbpath ~query:["create", ["false"]] ())
@@ -134,7 +134,7 @@ let user_mod action dbpath username =
     flush stdout;
     (* FIXME: getpass *)
     let password = read_line () in
-    let user_info = Builder_web_auth.hash ~username ~password in
+    let user_info = Builder_web_auth.hash ?password_iter ~username ~password () in
     match action with
     | `Add ->
       Db.exec Builder_db.User.add user_info
@@ -192,6 +192,12 @@ let username =
                 pos 0 (some string) None &
                 info ~doc ~docv:"USERNAME" [])
 
+let password_iter =
+  let doc = "password hash count" in
+  Cmdliner.Arg.(value &
+                opt (some int) None &
+                info ~doc ["hash-count"])
+
 let datadir =
   let doc = Cmdliner.Arg.info ~doc:"builder data dir" ["datadir"] in
   Cmdliner.Arg.(value &
@@ -227,12 +233,12 @@ let add_cmd =
 
 let user_add_cmd =
   let doc = "add a user" in
-  (Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ username),
+  (Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ password_iter $ username),
    Cmdliner.Term.info ~doc "user-add")
 
 let user_update_cmd =
   let doc = "update a user password" in
-  (Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ username),
+  (Cmdliner.Term.(pure user_add $ setup_log $ dbpath $ password_iter $ username),
    Cmdliner.Term.info ~doc "user-update")
 
 let user_remove_cmd =
diff --git a/lib/builder_web.ml b/lib/builder_web.ml
index 618a15d..820562a 100644
--- a/lib/builder_web.ml
+++ b/lib/builder_web.ml
@@ -57,7 +57,8 @@ let authorized t handler = fun req ->
       then handler req
       else Lwt.return unauthorized
     | Ok None ->
-      ignore (Builder_web_auth.hash ~username ~password);
+      let _ : Builder_web_auth.user_info =
+        Builder_web_auth.hash ~username ~password () in
       Lwt.return unauthorized
     | Error e ->
       Log.warn (fun m -> m "Error getting user: %a" pp_error e);