diff --git a/CHANGES.rst b/CHANGES.rst
index cd2d8b9..c3ad32a 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -2,6 +2,11 @@
 Changelog
 =========
 
+v2.0.1 (UNRLEASED)
+==================
+
+- prevent creation of databases with an empty password as those cannot be removed.
+
 v2.0.0
 ======
 
diff --git a/postgraas_server/management_resources.py b/postgraas_server/management_resources.py
index cfa2537..90ae720 100644
--- a/postgraas_server/management_resources.py
+++ b/postgraas_server/management_resources.py
@@ -1,4 +1,5 @@
 import datetime
+import json
 import logging
 
 import psycopg2
@@ -132,6 +133,9 @@ def post(self):
         parser.add_argument('db_pwd', required=True, type=str, help='pass of the db user')
         args = parser.parse_args()
 
+        if not args['db_pwd']:
+            abort(400, msg='The password may not be empty.')
+
         if DBInstance.query.filter_by(postgraas_instance_name=args['postgraas_instance_name']
                                       ).first():
             return {
diff --git a/tests/test_integration/test_postgras_api.py b/tests/test_integration/test_postgras_api.py
index b60d297..8883d9e 100644
--- a/tests/test_integration/test_postgras_api.py
+++ b/tests/test_integration/test_postgras_api.py
@@ -126,22 +126,24 @@ def docker_setup(request, tmpdir):
 class PostgraasApiTestBase:
     def get_postgraas_by_name(self, name, client):
         headers = {'Content-Type': 'application/json'}
-        list = client.get('/api/v2/postgraas_instances', headers=headers)
-        for instance in json.loads(list.get_data(as_text=True)):
+        instances = client.get('/api/v2/postgraas_instances', headers=headers)
+        for instance in json.loads(instances.get_data(as_text=True)):
             if instance["postgraas_instance_name"] == name:
                 return instance["id"]
+        return None
 
     def delete_instance_by_name(self, db_credentials, client):
-        id = self.get_postgraas_by_name(db_credentials["postgraas_instance_name"], client)
-        db_pwd = db_credentials["db_pwd"]
-        headers = {'Content-Type': 'application/json'}
-        client.delete(
-            '/api/v2/postgraas_instances/' + str(id),
-            data=json.dumps({
-                'db_pwd': db_pwd
-            }),
-            headers=headers
-        )
+        instance_id = self.get_postgraas_by_name(db_credentials["postgraas_instance_name"], client)
+        if instance_id is not None:
+            db_pwd = db_credentials["db_pwd"]
+            headers = {'Content-Type': 'application/json'}
+            client.delete(
+                '/api/v2/postgraas_instances/' + str(instance_id),
+                data=json.dumps({
+                    'db_pwd': db_pwd
+                }),
+                headers=headers
+            )
 
 
 @pytest.mark.usefixtures('docker_setup')
@@ -381,3 +383,22 @@ def test_return_postgres_instance_api(self):
         assert actual_data == expected
 
         self.delete_instance_by_name(db_credentials, self.app_client)
+
+    def test_empty_password(self):
+        instance_name = "test_empty_password"
+        db_credentials = {
+            "postgraas_instance_name": instance_name,
+            "db_name": self.db_name,
+            "db_username": self.username,
+            "db_pwd": "",
+        }
+        self.delete_instance_by_name(db_credentials, self.app_client)
+        headers = {'Content-Type': 'application/json'}
+        result = self.app_client.post(
+            '/api/v2/postgraas_instances', headers=headers, data=json.dumps(db_credentials)
+        )
+        created_db = json.loads(result.get_data(as_text=True))
+
+        assert result.status_code == 400
+        print(created_db)
+        assert 'password may not be empty' in created_db["msg"]