diff --git a/CHANGELOG.md b/CHANGELOG.md
index 98f55f1..557dc81 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,9 @@ and this project adheres to [Intended Effort Versioning](https://jacobtomlinson.
 
 ## 1.3.2 - [Unreleased]
 
+### Added
+- Email/password authentication for legacy endpoint.
+
 ### Fixed
 - Handle PHPs old BCrypt version.
 
diff --git a/src/controllers/legacy_entity_controller.cr b/src/controllers/legacy_entity_controller.cr
index 2a38526..82f32ef 100644
--- a/src/controllers/legacy_entity_controller.cr
+++ b/src/controllers/legacy_entity_controller.cr
@@ -6,6 +6,8 @@ class LegacyEntityController < Amber::Controller::Base
 
   def index
     token_user = nil : User?
+
+    # Legacy "token" authentication.
     if params[:token]?
       # Timelord uses a version of bcrypt hash that's basically only
       # used by PHP, so we "fix" it to the version Crystal BCrypt
@@ -33,6 +35,16 @@ class LegacyEntityController < Amber::Controller::Base
       end
     end
 
+    # Temporary email/password authentication.
+    if params[:password]? && params[:email]?
+      token_user = User.find_by!(email: params[:email])
+      unless token_user.authenticate(params[:password])
+        halt!(403, "Forbidden")
+
+        return
+      end
+    end
+
     location = Time::Location.load("Europe/Copenhagen")
     date_from = Time.local(location).at_beginning_of_month
     date_to = Time.local(location).at_end_of_day.shift(days: -1)