diff --git a/cmd/sojudb/main.go b/cmd/sojudb/main.go
index 4a5c8d8..4d4a804 100644
--- a/cmd/sojudb/main.go
+++ b/cmd/sojudb/main.go
@@ -74,13 +74,10 @@ func main() {
 			log.Fatalf("failed to hash password: %v", err)
 		}
 
-		user := database.User{
-			Username: username,
-			Password: string(hashed),
-			Admin:    *admin,
-			Enabled:  true,
-		}
-		if err := db.StoreUser(ctx, &user); err != nil {
+		user := database.NewUser(username)
+		user.Password = string(hashed)
+		user.Admin = *admin
+		if err := db.StoreUser(ctx, user); err != nil {
 			log.Fatalf("failed to create user: %v", err)
 		}
 	case "change-password":
diff --git a/contrib/znc-import/main.go b/contrib/znc-import/main.go
index 0a72cd7..d155a34 100644
--- a/contrib/znc-import/main.go
+++ b/contrib/znc-import/main.go
@@ -106,8 +106,9 @@ func main() {
 		if ok {
 			log.Printf("user %q: updating existing user", username)
 		} else {
+			u = database.NewUser(username)
 			// "!!" is an invalid crypt format, thus disables password auth
-			u = &database.User{Username: username, Password: "!!", Enabled: true}
+			u.Password = "!!"
 			usersCreated++
 			log.Printf("user %q: creating new user", username)
 		}
diff --git a/database/database.go b/database/database.go
index ac35a7d..8f19f8f 100644
--- a/database/database.go
+++ b/database/database.go
@@ -98,6 +98,13 @@ type User struct {
 	DownstreamInteractedAt time.Time
 }
 
+func NewUser(username string) *User {
+	return &User{
+		Username: username,
+		Enabled:  true,
+	}
+}
+
 func (u *User) CheckPassword(password string) (upgraded bool, err error) {
 	// Password auth disabled
 	if u.Password == "" {
diff --git a/server.go b/server.go
index 00d7560..552104e 100644
--- a/server.go
+++ b/server.go
@@ -515,11 +515,8 @@ func (s *Server) getOrCreateUser(ctx context.Context, username string) (*user, e
 	}
 
 	// Can't find the user in the DB -- try to create it
-	record := database.User{
-		Username: username,
-		Enabled:  true,
-	}
-	user, err := s.createUser(ctx, &record)
+	record := database.NewUser(username)
+	user, err := s.createUser(ctx, record)
 	if err != nil {
 		return nil, fmt.Errorf("failed to automatically create user %q after successful authentication: %v", username, err)
 	}
diff --git a/server_test.go b/server_test.go
index fe88065..8254243 100644
--- a/server_test.go
+++ b/server_test.go
@@ -48,10 +48,7 @@ func createTempPostgresDB(t *testing.T) database.Database {
 }
 
 func createTestUser(t *testing.T, db database.Database) *database.User {
-	record := &database.User{
-		Username: testUsername,
-		Enabled:  true,
-	}
+	record := database.NewUser(testUsername)
 	if err := record.SetPassword(testPassword); err != nil {
 		t.Fatalf("failed to generate bcrypt hash: %v", err)
 	}
diff --git a/service.go b/service.go
index 848fcae..c2969c6 100644
--- a/service.go
+++ b/service.go
@@ -971,13 +971,11 @@ func handleUserCreate(ctx *serviceContext, params []string) error {
 		return fmt.Errorf("flag -password is required")
 	}
 
-	user := &database.User{
-		Username: *username,
-		Nick:     *nick,
-		Realname: *realname,
-		Admin:    *admin,
-		Enabled:  *enabled,
-	}
+	user := database.NewUser(*username)
+	user.Nick = *nick
+	user.Realname = *realname
+	user.Admin = *admin
+	user.Enabled = *enabled
 	if !*disablePassword {
 		if err := user.SetPassword(*password); err != nil {
 			return err