diff --git a/usr.sbin/pw/pw.c b/usr.sbin/pw/pw.c
index b9bd9d052cfe..6769738fbe30 100644
--- a/usr.sbin/pw/pw.c
+++ b/usr.sbin/pw/pw.c
@@ -215,6 +215,7 @@ main(int argc, char *argv[])
 	if (mode == -1 || which == -1)
 		cmdhelp(mode, which);
 
+	conf.which = which;
 	/*
 	 * We know which mode we're in and what we're about to do, so now
 	 * let's dispatch the remaining command line args in a genric way.
diff --git a/usr.sbin/pw/pw_group.c b/usr.sbin/pw/pw_group.c
index 2a90ff2530a5..c664ef5a70d6 100644
--- a/usr.sbin/pw/pw_group.c
+++ b/usr.sbin/pw/pw_group.c
@@ -200,7 +200,7 @@ pw_group(int mode, char *name, long id, struct cargs * args)
 	 * software.
 	 */
 
-	if (conf.fd != -1)
+	if (conf.which == W_GROUP && conf.fd != -1)
 		set_passwd(grp, mode == M_UPDATE);
 
 	if (((arg = getarg(args, 'M')) != NULL ||
diff --git a/usr.sbin/pw/pwupd.h b/usr.sbin/pw/pwupd.h
index c6ed32e6c40f..37303de4e63d 100644
--- a/usr.sbin/pw/pwupd.h
+++ b/usr.sbin/pw/pwupd.h
@@ -86,6 +86,7 @@ struct pwconf {
 	char		*newname;
 	char		*config;
 	int		 fd;
+	int		 which;
 	bool		 dryrun;
 	bool		 pretty;
 	bool		 v7;
diff --git a/usr.sbin/pw/tests/pw_useradd.sh b/usr.sbin/pw/tests/pw_useradd.sh
index 32d3b9d7139d..469c1e5cde52 100755
--- a/usr.sbin/pw/tests/pw_useradd.sh
+++ b/usr.sbin/pw/tests/pw_useradd.sh
@@ -231,6 +231,15 @@ user_add_invalid_group_entry_body() {
 	atf_check -s exit:1 -e match:"Invalid group entry" ${PW} useradd foo2
 }
 
+atf_test_case user_add_password_from_h
+user_add_password_from_h_body() {
+	populate_etc_skel
+
+	atf_check -s exit:0 ${PW} useradd test -h 0 <<-EOF
+	$(echo test)
+	EOF
+}
+
 atf_init_test_cases() {
 	atf_add_test_case user_add
 	atf_add_test_case user_add_noupdate
@@ -251,4 +260,5 @@ atf_init_test_cases() {
 	atf_add_test_case user_add_expiration
 	atf_add_test_case user_add_invalid_user_entry
 	atf_add_test_case user_add_invalid_group_entry
+	atf_add_test_case user_add_password_from_h
 }