diff --git a/app/models/user.rb b/app/models/user.rb
index 6091986..180a381 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,35 +1,80 @@
 class User < ActiveRecord::Base
+
+  attr_accessor :password, :retype_password
+
   has_many :ownerships
   has_many :hosts, through: :ownerships, inverse_of: :users
 
   enum user_type: { institutional: 0, vima: 1, okeanos: 2, admin: 3 }
 
-  validates :username, :user_type, presence: true
+  validates :user_type, presence: true
+  validates :username, presence: true, uniqueness: { scope: :user_type }
+  validates :email, presence: true, uniqueness: { scope: :user_type }
+
+  before_create :confirm_passwords, if: :admin?
+
+  # Returns an admin user with the given password
+  #
+  # @param username[String] username from user input
+  # @param a_password[String] password from user input
+  #
+  # @return [User] the admin user or nil
+  def self.fetch_admin_with_password(username, a_password)
+    hashed_pass = Digest::SHA256.hexdigest(a_password + Rails.application.secrets.salt)
+    admin = User.admin.find_by_username_and_password_hash(username, hashed_pass)
+    admin
+  end
 
   # Composes the user's display name from the user's username and email
   #
   # @return [String]
   def display_name
     "#{username} <#{email}>"
   end
 
   # Determines if the user must select hosts from a list or enter their
   # FQDN manually
   #
   # @return [Boolean]
   def needs_host_list?
     vima? || okeanos?
   end
 
   # Marks a user as not enabled
   def ban
     self.enabled = false
     save
   end
 
   # Marks a user as enabled
   def unban
     self.enabled = true
     save
   end
+
+  # Stores a hashed password as a password_hash
+  #
+  # @param a_password[String] the user submitted password
+  #
+  # @return [Boolean] the save exit status
+  def add_password(a_password)
+    self.password_hash = Digest::SHA256.hexdigest(a_password + Rails.application.secrets.salt)
+    self.save
+  end
+
+  private
+
+  def confirm_passwords
+    if password.blank?
+      self.errors.add(:password, 'Must give a password')
+      return false
+    end
+    if password != retype_password
+      self.errors.add(:password, 'Passwords mismatch')
+      self.errors.add(:retype_password, 'Passwords mismatch')
+      return false
+    end
+
+    true
+  end
 end
diff --git a/spec/factories/user.rb b/spec/factories/user.rb
index bf8b7d5..3688e52 100644
--- a/spec/factories/user.rb
+++ b/spec/factories/user.rb
@@ -1,12 +1,13 @@
 FactoryGirl.define do
   factory :user do
     sequence(:username) { |n| "user-#{n}" }
     user_type 0
+    sequence(:email) { |n| "user-#{n}@grnet.gr" }
   end
 
   trait :admin do
     after(:create) do |user|
       user.admin!
     end
   end
 end