diff --git a/src/Access/Authentication.cpp b/src/Access/Authentication.cpp
index 6d7906a0c85..38ef311acaa 100644
--- a/src/Access/Authentication.cpp
+++ b/src/Access/Authentication.cpp
@@ -120,7 +120,7 @@ namespace
         {
             case AuthenticationType::NO_PASSWORD:
             {
-                return true;
+                return true; // N.B. even if the password is not empty!
             }
             case AuthenticationType::PLAINTEXT_PASSWORD:
             {
diff --git a/src/Parsers/Access/ParserCreateUserQuery.cpp b/src/Parsers/Access/ParserCreateUserQuery.cpp
index 2d5e4eaea98..4da0297dbc7 100644
--- a/src/Parsers/Access/ParserCreateUserQuery.cpp
+++ b/src/Parsers/Access/ParserCreateUserQuery.cpp
@@ -527,6 +527,11 @@ bool ParserCreateUserQuery::parseImpl(Pos & pos, ASTPtr & node, Expected & expec
             if (!parsed_identified_with)
             {
                 parsed_add_new_method = parseAddIdentifiedWith(pos, expected, auth_data);
+
+                if (parsed_add_new_method && !alter)
+                {
+                    throw Exception(ErrorCodes::BAD_ARGUMENTS, "Create user query is not allowed to have ADD IDENTIFIED, remove the ADD keyword.");
+                }
             }
         }