diff --git a/src/conf.c b/src/conf.c
index a5adf80d..706e8689 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -96,9 +96,11 @@ static char *fgets_extending(char **buf, int *buflen, FILE *stream)
 }
 
 
-static void conf__set_cur_security_options(struct mosquitto__config *config, struct mosquitto__security_options **security_options)
+static void conf__set_cur_security_options(struct mosquitto__config *config, struct mosquitto__listener *cur_listener, struct mosquitto__security_options **security_options)
 {
-	if(!(*security_options)){
+	if(config->per_listener_settings){
+		(*security_options) = &cur_listener->security_options;
+	}else{
 		(*security_options) = &config->security_options;
 	}
 }
@@ -1450,7 +1452,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
 #endif
 				}else if(!strcmp(token, "password_file")){
-					conf__set_cur_security_options(config, &cur_security_options);
+					conf__set_cur_security_options(config, cur_listener, &cur_security_options);
 					if(reload){
 						mosquitto__free(cur_security_options->password_file);
 						cur_security_options->password_file = NULL;
diff --git a/src/security_default.c b/src/security_default.c
index 0b00ee53..d447ec73 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -688,6 +688,7 @@ static int mosquitto__memcmp_const(const void *a, const void *b, size_t len)
 int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *context, const char *username, const char *password)
 {
 	struct mosquitto__unpwd *u, *tmp;
+	struct mosquitto__unpwd *unpwd_ref;
 #ifdef WITH_TLS
 	unsigned char hash[EVP_MAX_MD_SIZE];
 	unsigned int hash_len;
@@ -698,12 +699,14 @@ int mosquitto_unpwd_check_default(struct mosquitto_db *db, struct mosquitto *con
 	if(db->config->per_listener_settings){
 		if(!context->listener) return MOSQ_ERR_INVAL;
 		if(!context->listener->unpwd) return MOSQ_ERR_PLUGIN_DEFER;
+		unpwd_ref = context->listener->unpwd;
 	}else{
 		if(!db->unpwd) return MOSQ_ERR_PLUGIN_DEFER;
+		unpwd_ref = db->unpwd;
 	}
-	if(!username) return MOSQ_ERR_INVAL; /* Check must be made only after checking db->unpwd. */
+	if(!username) return MOSQ_ERR_INVAL; /* Check must be made only after checking unpwd_ref. */
 
-	HASH_ITER(hh, db->unpwd, u, tmp){
+	HASH_ITER(hh, unpwd_ref, u, tmp){
 		if(!strcmp(u->username, username)){
 			if(u->password){
 				if(password){