diff --git a/auth.go b/auth.go
index 524ef3a..d9cb6fc 100644
--- a/auth.go
+++ b/auth.go
@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 
 	"github.com/tg123/go-htpasswd"
 	"golang.org/x/crypto/bcrypt"
@@ -23,6 +24,7 @@ const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"
 
 type Auth interface {
 	Validate(wr http.ResponseWriter, req *http.Request) bool
+	Stop()
 }
 
 func NewAuth(paramstr string, logger *CondLogger) (Auth, error) {
@@ -77,6 +79,7 @@ func NewStaticAuth(param_url *url.URL, logger *CondLogger) (*BasicAuth, error) {
 		hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
 		logger:       logger,
 		pwFile:       pwFile,
+		stopChan:     make(chan struct{}),
 	}, nil
 }
 
@@ -99,6 +102,9 @@ type BasicAuth struct {
 	pwMux        sync.RWMutex
 	logger       *CondLogger
 	hiddenDomain string
+	stopOnce     sync.Once
+	stopChan     chan struct{}
+	lastReloaded time.Time
 }
 
 func NewBasicFileAuth(param_url *url.URL, logger *CondLogger) (*BasicAuth, error) {
@@ -115,16 +121,30 @@ func NewBasicFileAuth(param_url *url.URL, logger *CondLogger) (*BasicAuth, error
 		hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
 		pwFilename:   filename,
 		logger:       logger,
+		stopChan:     make(chan struct{}),
 	}
 
 	if err := auth.reload(); err != nil {
 		return nil, fmt.Errorf("unable to load initial password list: %w", err)
 	}
 
+	reloadIntervalOption := values.Get("reload")
+	reloadInterval, err := time.ParseDuration(reloadIntervalOption)
+	if err != nil {
+		reloadInterval = 0
+	}
+	if reloadInterval == 0 {
+		reloadInterval = 15 * time.Second
+	}
+	if reloadInterval > 0 {
+		go auth.reloadLoop(reloadInterval)
+	}
+
 	return auth, nil
 }
 
 func (auth *BasicAuth) reload() error {
+	auth.logger.Info("reloading password file from %q...", auth.pwFilename)
 	newPwFile, err := htpasswd.New(auth.pwFilename, htpasswd.DefaultSystems, func(parseErr error) {
 		auth.logger.Error("failed to parse line in %q: %v", auth.pwFilename, parseErr)
 	})
@@ -132,13 +152,45 @@ func (auth *BasicAuth) reload() error {
 		return err
 	}
 
+	now := time.Now()
+
 	auth.pwMux.Lock()
-	defer auth.pwMux.Unlock()
 	auth.pwFile = newPwFile
+	auth.lastReloaded = now
+	auth.pwMux.Unlock()
+	auth.logger.Info("password file reloaded.")
 
 	return nil
 }
 
+func (auth *BasicAuth) condReload() error {
+	reload := func() bool {
+		pwFileModTime, err := fileModTime(auth.pwFilename)
+		if err != nil {
+			auth.logger.Warning("can't get password file modtime: %v", err)
+			return true
+		}
+		return !pwFileModTime.Before(auth.lastReloaded)
+	}()
+	if reload {
+		return auth.reload()
+	}
+	return nil
+}
+
+func (auth *BasicAuth) reloadLoop(interval time.Duration) {
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-auth.stopChan:
+			return
+		case <-ticker.C:
+			auth.condReload()
+		}
+	}
+}
+
 func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
 	hdr := req.Header.Get("Proxy-Authorization")
 	if hdr == "" {
@@ -166,7 +218,7 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
 
 	login := pair[0]
 	password := pair[1]
-	
+
 	auth.pwMux.RLock()
 	pwFile := auth.pwFile
 	auth.pwMux.RUnlock()
@@ -190,12 +242,20 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
 	return false
 }
 
+func (auth *BasicAuth) Stop() {
+	auth.stopOnce.Do(func() {
+		close(auth.stopChan)
+	})
+}
+
 type NoAuth struct{}
 
 func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
 	return true
 }
 
+func (_ NoAuth) Stop() {}
+
 type CertAuth struct{}
 
 func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
@@ -206,3 +266,5 @@ func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
 		return true
 	}
 }
+
+func (_ CertAuth) Stop() {}
diff --git a/main.go b/main.go
index cedf9ff..f009c1c 100644
--- a/main.go
+++ b/main.go
@@ -128,6 +128,7 @@ func run() int {
 		mainLogger.Critical("Failed to instantiate auth provider: %v", err)
 		return 3
 	}
+	defer auth.Stop()
 
 	server := http.Server{
 		Addr:              args.bind_address,
diff --git a/utils.go b/utils.go
index c274165..96a2667 100644
--- a/utils.go
+++ b/utils.go
@@ -6,11 +6,13 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -189,3 +191,18 @@ func makeCipherList(ciphers string) []uint16 {
 
 	return cipherIDList
 }
+
+func fileModTime(filename string) (time.Time, error) {
+	f, err := os.Open(filename)
+	if err != nil {
+		return time.Time{}, fmt.Errorf("fileModTime(): can't open file %q: %w", filename, err)
+	}
+	defer f.Close()
+
+	fi, err := f.Stat()
+	if err != nil {
+		return time.Time{}, fmt.Errorf("fileModTime(): can't stat file %q: %w", filename, err)
+	}
+
+	return fi.ModTime(), nil
+}