diff --git a/examples/blueprints/blueprints/core/views.py b/examples/blueprints/blueprints/core/views.py
index ad4a806479e11f6aa856b01ea2d6028f3cf56846..cbb4dd5795bf1a4d584807fbd79dd6f5d3e97c12 100644
--- a/examples/blueprints/blueprints/core/views.py
+++ b/examples/blueprints/blueprints/core/views.py
@@ -18,7 +18,7 @@ def login():
         user = request.form['user']
         passwd = request.form['passwd']
         test = ldap.bind_user(user, passwd)
-        if test is None:
+        if test is None or passwd == '':
             return 'Invalid credentials'
         else:
             session['user_id'] = request.form['user']
diff --git a/examples/groups/app.py b/examples/groups/app.py
index cbda3c62a328d2fee90d9ee97ef87ddf7718a5be..ceeb1cffb55d35d249c3f09933e2804cabb840ab 100644
--- a/examples/groups/app.py
+++ b/examples/groups/app.py
@@ -36,7 +36,7 @@ def login():
         user = request.form['user']
         passwd = request.form['passwd']
         test = ldap.bind_user(user, passwd)
-        if test is None:
+        if test is None or passwd = '':
             return 'Invalid credentials'
         else:
             session['user_id'] = request.form['user']
diff --git a/flask_simpleldap/__init__.py b/flask_simpleldap/__init__.py
index 08e09638133dbdce3e0bcf262824cd0a1d4043e0..9cfa8af9133dc427a929052d28a7ebff49a5ed0e 100644
--- a/flask_simpleldap/__init__.py
+++ b/flask_simpleldap/__init__.py
@@ -121,6 +121,15 @@ class LDAP(object):
         """Attempts to bind a user to the LDAP server using the credentials
         supplied.
 
+        .. note::
+
+            Many LDAP servers will grant anonymous access if ``password`` is
+            the empty string, causing this method to return :obj:`True` no
+            matter what username is given. If you want to use this method to
+            validate a username and password, rather than actually connecting
+            to the LDAP server as a particular user, make sure ``password`` is
+            not empty.
+
         :param str username: The username to attempt to bind with.
         :param str password: The password of the username we're attempting to
             bind with.
@@ -317,7 +326,11 @@ class LDAP(object):
                 req_username = request.authorization.username
                 req_password = request.authorization.password
 
-            if req_username is None or req_password is None:
+            # Many LDAP servers will grant you anonymous access if you log in
+            # with an empty password, even if you supply a non-anonymous user
+            # ID, causing .bind_user() to return True. Therefore, only accept
+            # non-empty passwords.
+            if req_username in ['', None] or req_password in ['', None]:
                 current_app.logger.debug('Got a request without auth data')
                 return make_auth_required_response()