diff --git a/static/style.css b/static/style.css
index 489a1a3..389148b 100644
--- a/static/style.css
+++ b/static/style.css
@@ -57,3 +57,13 @@ button:hover, .button:hover{
 	background-color:#2b90d9;
 	color:white;
 }
+#form-avi {
+	height: 128px;
+	width:128px;
+	margin:0 auto 15px;
+	background-size:cover;
+	border-radius:16px;
+}
+#form-avi-label {
+	font-size:0.6em;
+}
diff --git a/templates/create_password.html b/templates/create_password.html
index 3c1dea9..e6484c0 100644
--- a/templates/create_password.html
+++ b/templates/create_password.html
@@ -12,10 +12,14 @@
 </noscript>
 <!-- <div id='logo-main'></div> -->
 <form action='/internal/do_login' method='POST'>
+	<div id='form-avi' style='background-image:url("https://fedi.lynnesbian.space/system/accounts/avatars/000/000/002/original/7ebcb4b973eee926.gif?1541354017")'></div>
+	<span id='form-avi-label'>@lynnesbian@fedi.lynnesbian.space</span><br /><br />
 	<label for='pw'>Password</label><br />
 	<input type='password' name='pw' placeholder='••••••••' required /><br />
 	<button>Create Account</button>
 </form>
+<br /><br />
+Your password will be hashed using bcrypt, ensuring that nobody can read it.
 {% include 'footer.html' %}
 </body>
 </html>
\ No newline at end of file
diff --git a/web.py b/web.py
index f037a48..d165502 100755
--- a/web.py
+++ b/web.py
@@ -14,7 +14,7 @@ cfg = json.load(open("meta.json"))
 
 db = sqlite3.connect("database.db") #TODO: switch to mysql so concurrency is possible
 c = db.cursor()
-c.execute("CREATE TABLE IF NOT EXISTS `data` (username TEXT NOT NULL, instance TEXT NOT NULL, secret TEXT NOT NULL, appid TEXT NOT NULL, appsecret TEXT NOT NULL, cc TEXT, latest_post TEXT, latest_timestamp TEXT, time_between_checks INT)")
+c.execute("CREATE TABLE IF NOT EXISTS `data` (username TEXT NOT NULL, instance TEXT NOT NULL, password TEXT NOT NULL, avi TEXT NOT NULL, secret TEXT NOT NULL, appid TEXT NOT NULL, appsecret TEXT NOT NULL, cc TEXT, latest_post TEXT, latest_timestamp TEXT, time_between_checks INT)")
 
 app = Flask(cfg['name'])
 app.secret_key = cfg['flask_key']
@@ -51,7 +51,7 @@ def log_in():
 #internal stuff
 
 @app.route('/internal/auth_a')
-def internal_auth_a():
+def internal_auth_a(): #TODO: prevent these endpoints from being spammed somehow
 
 	session['instance_url'] = request.args.get('url', default='mastodon.social', type=str)
 	if not session['instance_url'].startswith("https://"):
@@ -73,7 +73,6 @@ def internal_auth_a():
 	}
 
 	url = "{}/oauth/authorize?{}".format(session['instance_url'], urllib.parse.urlencode(params))
-
 	return url
 
 @app.route('/internal/auth_b')
@@ -86,10 +85,8 @@ def internal_auth_b():
 	if c.execute("SELECT COUNT(*) FROM data WHERE username LIKE ? AND instance LIKE ?", (session['username'], session['instance_url'])).fetchone()[0] > 0:
 		#user already has an account with CG
 		return redirect(url_for('log_in'))
-		
-	c.execute("INSERT INTO data (username, instance, secret, appid, appsecret) VALUES (?, ?, ?, ?, ?)", (session['username'], session['instance_url'], session['secret'], session['client_id'], session['client_secret']))
-	db.commit()
-	return redirect(url_for('home'))
+	else:
+		return redirect(url_for('home'))
 
 @app.route('/internal/do_login')
 def do_login():
@@ -97,4 +94,9 @@ def do_login():
 
 @app.route('/create_password')
 def create_password():
-	return render_template("create_password.html")
\ No newline at end of file
+	return render_template("create_password.html")
+
+@app.route('/internal/create_account')
+def create_account():
+	c.execute("INSERT INTO data (username, instance, secret, appid, appsecret) VALUES (?, ?, ?, ?, ?)", (session['username'], session['instance_url'], session['secret'], session['client_id'], session['client_secret']))
+	db.commit()