diff --git a/openvpn/proxy/ntlm.hpp b/openvpn/proxy/ntlm.hpp
index f6c95b7a7..850cbfce4 100644
--- a/openvpn/proxy/ntlm.hpp
+++ b/openvpn/proxy/ntlm.hpp
@@ -70,7 +70,7 @@ class NTLM
             throw Exception("password is blank");
 
         if (phase_2_response.size() < 32)
-            throw Exception("phase2 response from server too short (" + std::to_string(phase_2_response.size()) + ")");
+            throw Exception("phase2 base64 response from server too short (" + std::to_string(phase_2_response.size()) + ")");
 
         // split domain\username
         std::string domain;
@@ -89,6 +89,9 @@ class NTLM
         BufferAllocated response(phase_2_response.size(), 0);
         base64->decode(response, phase_2_response);
 
+        if (response.size() < 32)
+            throw Exception("phase2 decoded response from server too short (" + std::to_string(response.size()) + ")");
+
         // extract the challenge from bytes 24-31 in the response
         unsigned char challenge[8];
         for (size_t i = 0; i < 8; ++i)