diff --git a/internal/models/models.go b/internal/models/models.go
index 626a00e..2dea65f 100644
--- a/internal/models/models.go
+++ b/internal/models/models.go
@@ -711,6 +711,7 @@ type User struct {
 	Username     string         `gorm:"size:100" json:"username"`
 	Avatar       string         `gorm:"size:500" json:"avatar,omitempty"`
 	IsActive     bool           `gorm:"default:true" json:"is_active"`
+	HasPassword  bool           `gorm:"-" json:"has_password"`
 	CreatedAt    time.Time      `json:"created_at"`
 	UpdatedAt    time.Time      `json:"updated_at"`
 	DeletedAt    gorm.DeletedAt `gorm:"index" json:"-"`
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
index c8dedef..952da85 100644
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -171,6 +171,7 @@ func (s *AuthService) Login(input LoginInput) (*models.User, *TokenPair, error)
 		return nil, nil, err
 	}
 
+	user.HasPassword = true
 	return user, tokens, nil
 }
 
@@ -231,7 +232,12 @@ func (s *AuthService) ValidateEmail(email string) bool {
 
 // GetUserByID retrieves a user by ID
 func (s *AuthService) GetUserByID(id uint) (*models.User, error) {
-	return s.userRepo.GetByID(id)
+	user, err := s.userRepo.GetByID(id)
+	if err != nil {
+		return nil, err
+	}
+	user.HasPassword = user.PasswordHash != ""
+	return user, nil
 }
 
 // generateTokenPair generates access and refresh tokens
@@ -286,9 +292,11 @@ func (s *AuthService) UpdatePassword(userID uint, oldPassword, newPassword strin
 		return err
 	}
 
-	// Verify old password
-	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(oldPassword)); err != nil {
-		return ErrInvalidCredentials
+	// Verify old password only if user has a password set
+	if user.PasswordHash != "" {
+		if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(oldPassword)); err != nil {
+			return ErrInvalidCredentials
+		}
 	}
 
 	// Validate new password