diff --git a/src/auth/plain.c b/src/auth/plain.c
index 7ce96135..2c0741e9 100644
--- a/src/auth/plain.c
+++ b/src/auth/plain.c
@@ -232,7 +232,7 @@ static int plain_auth_pass(void *ctx, const char *pass, unsigned pass_len)
 	    && strcmp(crypt(pass, pctx->cpass), pctx->cpass) == 0)
 		return 0;
 	else {
-		if (pctx->retries++ < MAX_TRIES) {
+		if (pctx->retries++ < MAX_TRIES-1) {
 			pctx->pass_msg = pass_msg_failed;
 			return ERR_AUTH_CONTINUE;
 		} else {
diff --git a/src/auth/radius.c b/src/auth/radius.c
index 95dd22f1..85993538 100644
--- a/src/auth/radius.c
+++ b/src/auth/radius.c
@@ -277,7 +277,7 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
 		if (ret == PW_ACCESS_CHALLENGE) {
 			pctx->pass_msg = pass_msg_second;
 			return ERR_AUTH_CONTINUE;
-		} else if (pctx->retries++ < MAX_TRIES) {
+		} else if (pctx->retries++ < MAX_TRIES-1) {
 			pctx->pass_msg = pass_msg_failed;
 			return ERR_AUTH_CONTINUE;
 		} else {