diff --git a/internal/user/types.go b/internal/user/types.go
index fc22acaf..fc43d16b 100644
--- a/internal/user/types.go
+++ b/internal/user/types.go
@@ -18,7 +18,7 @@
 package user
 
 import (
-	"encoding/hex"
+	"encoding/base64"
 	"fmt"
 	"reflect"
 	"strings"
@@ -58,24 +58,25 @@ func groupBy[Key comparable, Value any](items []Value, key func(Value) Key) map[
 	return groups
 }
 
-// hexEncode returns the hexadecimal encoding of the given byte slice.
-func hexEncode(b []byte) []byte {
-	enc := make([]byte, hex.EncodedLen(len(b)))
+// b64Encode returns the base64 encoding of the given byte slice.
+func b64Encode(b []byte) []byte {
+	enc := make([]byte, base64.RawURLEncoding.EncodedLen(len(b)))
 
-	hex.Encode(enc, b)
+	base64.RawURLEncoding.Encode(enc, b)
 
 	return enc
 }
 
-// hexDecode returns the bytes represented by the hexadecimal encoding of the given byte slice.
-func hexDecode(b []byte) ([]byte, error) {
-	dec := make([]byte, hex.DecodedLen(len(b)))
+// b64Decode returns the bytes represented by the base64 encoding of the given byte slice.
+func b64Decode(b []byte) ([]byte, error) {
+	dec := make([]byte, base64.RawURLEncoding.DecodedLen(len(b)))
 
-	if _, err := hex.Decode(dec, b); err != nil {
+	n, err := base64.RawURLEncoding.Decode(dec, b)
+	if err != nil {
 		return nil, err
 	}
 
-	return dec, nil
+	return dec[:n], nil
 }
 
 // getAddrID returns the address ID for the given email address.
diff --git a/internal/user/user.go b/internal/user/user.go
index e3d98624..3ae7d8e5 100644
--- a/internal/user/user.go
+++ b/internal/user/user.go
@@ -351,7 +351,7 @@ func (user *User) GluonKey() []byte {
 
 // BridgePass returns the user's bridge password, used for authentication over SMTP and IMAP.
 func (user *User) BridgePass() []byte {
-	return hexEncode(user.vault.BridgePass())
+	return b64Encode(user.vault.BridgePass())
 }
 
 // UsedSpace returns the total space used by the user on the API.
@@ -526,7 +526,7 @@ func (user *User) SendMail(authID string, from string, to []string, r io.Reader)
 // CheckAuth returns whether the given email and password can be used to authenticate over IMAP or SMTP with this user.
 // It returns the address ID of the authenticated address.
 func (user *User) CheckAuth(email string, password []byte) (string, error) {
-	dec, err := hexDecode(password)
+	dec, err := b64Decode(password)
 	if err != nil {
 		return "", fmt.Errorf("failed to decode password: %w", err)
 	}