diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
index 6b20133b..0cfe8213 100644
--- a/examples/echoserver/echoserver.c
+++ b/examples/echoserver/echoserver.c
@@ -683,6 +683,8 @@ static int LoadPublicKeyBuffer(byte* buf, word32 bufSz, PwMapList* list)
     return 0;
 }
 
+#define MAX_PASSWD_RETRY 3
+static int passwdRetry = MAX_PASSWD_RETRY;
 
 static int wsUserAuth(byte authType,
                       WS_UserAuthData* authData,
@@ -691,6 +693,7 @@ static int wsUserAuth(byte authType,
     PwMapList* list;
     PwMap* map;
     byte authHash[SHA256_DIGEST_SIZE];
+    int ret;
 
     if (ctx == NULL) {
         fprintf(stderr, "wsUserAuth: ctx not set");
@@ -737,9 +740,12 @@ static int wsUserAuth(byte authType,
                     return WOLFSSH_USERAUTH_SUCCESS;
                 }
                 else {
-                    return (authType == WOLFSSH_USERAUTH_PASSWORD ?
-                            WOLFSSH_USERAUTH_INVALID_PASSWORD :
-                            WOLFSSH_USERAUTH_INVALID_PUBLICKEY);
+                    ret = (authType == WOLFSSH_USERAUTH_PASSWORD ? 
+                                (--passwdRetry > 0 ? 
+                                WOLFSSH_USERAUTH_INVALID_PASSWORD : WOLFSSH_USERAUTH_PASSWORD_RETRYOUT)
+                                : WOLFSSH_USERAUTH_INVALID_PUBLICKEY);
+                    if (passwdRetry == 0)passwdRetry = MAX_PASSWD_RETRY;
+                    return ret;
                 }
             }
             else {
diff --git a/src/internal.c b/src/internal.c
index 64b36fd7..31e78460 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -3211,7 +3211,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
             pw->newPassword = NULL;
             pw->newPasswordSz = 0;
         }
-
+        
         if (ssh->ctx->userAuthCb != NULL) {
             WLOG(WS_LOG_DEBUG, "DUARPW: Calling the userauth callback");
             ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PASSWORD,
@@ -3221,14 +3221,24 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
                 ssh->clientState = CLIENT_USERAUTH_DONE;
                 ret = WS_SUCCESS;
             }
+            else if (ret == WOLFSSH_USERAUTH_INVALID_PASSWORD) {
+                WLOG(WS_LOG_DEBUG, "DUARPW: password check failed");
+                ret = SendUserAuthFailure(ssh, 0);
+            }
             else {
                 WLOG(WS_LOG_DEBUG, "DUARPW: password check failed");
                 ret = SendUserAuthFailure(ssh, 0);
+                if(ret == WS_SUCCESS){
+                    WLOG(WS_LOG_DEBUG, "DUARPW: WS_INVALID_USERNAME");
+                    ret = WS_INVALID_USERNAME;
+                }
             }
         }
         else {
             WLOG(WS_LOG_DEBUG, "DUARPW: No user auth callback");
             ret = SendUserAuthFailure(ssh, 0);
+            if (ret == WS_SUCCESS)
+                ret = WS_FATAL_ERROR;
         }
     }
 
diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h
index fee8c172..b4dfbf3d 100644
--- a/wolfssh/ssh.h
+++ b/wolfssh/ssh.h
@@ -239,6 +239,7 @@ enum WS_UserAuthResults {
     WOLFSSH_USERAUTH_INVALID_AUTHTYPE,
     WOLFSSH_USERAUTH_INVALID_USER,
     WOLFSSH_USERAUTH_INVALID_PASSWORD,
+    WOLFSSH_USERAUTH_PASSWORD_RETRYOUT,
     WOLFSSH_USERAUTH_INVALID_PUBLICKEY
 };