diff --git a/lib/new-admin/admin-server.js b/lib/new-admin/admin-server.js
index decfe7aa..844d81c1 100644
--- a/lib/new-admin/admin-server.js
+++ b/lib/new-admin/admin-server.js
@@ -13,6 +13,8 @@ const { ApolloServer, AuthenticationError } = require('apollo-server-express')
 const _ = require('lodash/fp')
 const session = require('express-session')
 const pgSession = require('connect-pg-simple')(session)
+const hkdf = require('futoin-hkdf')
+const pify = require('pify')
 
 const login = require('./services/login')
 const register = require('./routes/authentication')
@@ -20,6 +22,7 @@ const register = require('./routes/authentication')
 const options = require('../options')
 const db = require('../db')
 const users = require('../users')
+const mnemonicHelpers = require('../mnemonic-helpers')
 
 const authRouter = require('./routes/auth')
 const { AuthDirective } = require('./graphql/directives')
@@ -44,13 +47,22 @@ app.use(bodyParser.json())
 app.use(bodyParser.urlencoded({ extended: true })) // support encoded bodies
 app.use(express.static(path.resolve(__dirname, '..', '..', 'public')))
 
+const getSecret = () => {
+  const mnemonic = fs.readFileSync(options.mnemonicPath, 'utf8')
+  return hkdf(
+    mnemonicHelpers.toEntropyBuffer(mnemonic),
+    16,
+    { salt: 'lamassu-server-salt', info: 'operator-id' }
+  ).toString('hex')
+}
+
 app.use('*', session({
   store: new pgSession({
     pgPromise: db,
     tableName: 'user_sessions'
   }),
   name: 'lid',
-  secret: 'MY_SECRET',
+  secret: getSecret(),
   resave: false,
   saveUninitialized: false,
   cookie: {
diff --git a/lib/new-admin/graphql/modules/authentication.js b/lib/new-admin/graphql/modules/authentication.js
index 1b68ee36..71dbb8c1 100644
--- a/lib/new-admin/graphql/modules/authentication.js
+++ b/lib/new-admin/graphql/modules/authentication.js
@@ -8,16 +8,19 @@ const sessionManager = require('../../../session-manager')
 
 const REMEMBER_ME_AGE = 90 * T.day
 
-async function authenticateUser (username, password) {
-  const hashedPassword = await loginHelper.checkUser(username)
-  if (!hashedPassword) return null
-
-  const isMatch = await bcrypt.compare(password, hashedPassword)
-  if (!isMatch) return null
-
-  const user = await loginHelper.validateUser(username, hashedPassword)
-  if (!user) return null
-  return user
+function authenticateUser (username, password) {
+  return loginHelper.checkUser(username).then(hashedPassword => {
+    if (!hashedPassword) return null
+    return Promise.all([bcrypt.compare(password, hashedPassword), hashedPassword])
+  }).then(([isMatch, hashedPassword]) => {
+    if (!isMatch) return null
+    return loginHelper.validateUser(username, hashedPassword)
+  }).then(user => {
+    if (!user) return null
+    return user
+  }).catch(e => {
+    console.error(e)
+  })
 }
 
 const getUserData = context => {