diff --git a/pkg/auth/authenticator/password/denypassword/denypassword.go b/pkg/auth/authenticator/password/denypassword/denypassword.go
new file mode 100644
index 000000000000..e785ddafcefe
--- /dev/null
+++ b/pkg/auth/authenticator/password/denypassword/denypassword.go
@@ -0,0 +1,20 @@
+package denypassword
+
+import (
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
+	"github.com/openshift/origin/pkg/auth/authenticator"
+)
+
+// denyPasswordAuthenticator denies all password requests
+type denyPasswordAuthenticator struct {
+}
+
+// New creates a new password authenticator that denies any login attempt
+func New() authenticator.Password {
+	return &denyPasswordAuthenticator{}
+}
+
+// AuthenticatePassword denies any login attempt
+func (a denyPasswordAuthenticator) AuthenticatePassword(username, password string) (user.Info, bool, error) {
+	return nil, false, nil
+}
diff --git a/pkg/cmd/server/origin/auth.go b/pkg/cmd/server/origin/auth.go
index 1fd43e390d3e..1488e738e042 100644
--- a/pkg/cmd/server/origin/auth.go
+++ b/pkg/cmd/server/origin/auth.go
@@ -22,6 +22,7 @@ import (
 	"github.com/openshift/origin/pkg/auth/authenticator/challenger/passwordchallenger"
 	"github.com/openshift/origin/pkg/auth/authenticator/password/allowanypassword"
 	"github.com/openshift/origin/pkg/auth/authenticator/password/basicauthpassword"
+	"github.com/openshift/origin/pkg/auth/authenticator/password/denypassword"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/basicauthrequest"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken"
 	"github.com/openshift/origin/pkg/auth/authenticator/request/headerrequest"
@@ -126,6 +127,8 @@ const (
 	PasswordAuthAnyPassword PasswordAuthType = "anypassword"
 	// PasswordAuthBasicAuthURL validates password credentials by making a request to a remote url using basic auth. See basicauthpassword.Authenticator
 	PasswordAuthBasicAuthURL PasswordAuthType = "basicauthurl"
+	// PasswordAuthDeny treats any username and password combination as an unsuccessful authentication
+	PasswordAuthDeny PasswordAuthType = "deny"
 )
 
 type TokenStoreType string
@@ -473,6 +476,9 @@ func (c *AuthConfig) getPasswordAuthenticator() authenticator.Password {
 	case PasswordAuthAnyPassword:
 		// Accepts any username and password
 		passwordAuth = allowanypassword.New(identityMapper)
+	case PasswordAuthDeny:
+		// Deny any username and password
+		passwordAuth = denypassword.New()
 	default:
 		glog.Fatalf("No password auth found that matches %v.  The oauth server cannot start!", passwordAuthType)
 	}