diff --git a/src/lib/isURL.js b/src/lib/isURL.js
index 6fe5651e5..4306e5deb 100644
--- a/src/lib/isURL.js
+++ b/src/lib/isURL.js
@@ -101,8 +101,11 @@ export default function isURL(url, options) {
     if (options.disallow_auth) {
       return false;
     }
+    if (split[0] === '' || split[0].substr(0, 1) === ':') {
+      return false;
+    }
     auth = split.shift();
-    if (auth.indexOf(':') === -1 || (auth.indexOf(':') >= 0 && auth.split(':').length > 2)) {
+    if (auth.indexOf(':') >= 0 && auth.split(':').length > 2) {
       return false;
     }
   }
diff --git a/test/validators.js b/test/validators.js
index 4a4180a8e..363886f82 100644
--- a/test/validators.js
+++ b/test/validators.js
@@ -350,6 +350,7 @@ describe('Validators', () => {
         'http://www.foobar.com/~foobar',
         'http://user:pass@www.foobar.com/',
         'http://user:@www.foobar.com/',
+        'http://user@www.foobar.com',
         'http://127.0.0.1/',
         'http://10.0.0.0/',
         'http://189.123.14.13/',
@@ -374,7 +375,6 @@ describe('Validators', () => {
         'http://[::FFFF:129.144.52.38]:80/index.html',
         'http://[2010:836B:4179::836B:4179]',
         'http://example.com/example.json#/foo/bar',
-        'http://user:@www.foobar.com',
         'http://1337.com',
       ],
       invalid: [
@@ -405,6 +405,8 @@ describe('Validators', () => {
         'http://lol: @foobar.com/',
         'http://www.foo_bar.com/',
         'http://www.foobar.com/\t',
+        'http://@foobar.com',
+        'http://:@foobar.com',
         'http://\n@www.foobar.com/',
         '',
         `http://foobar.com/${new Array(2083).join('f')}`,
@@ -416,7 +418,6 @@ describe('Validators', () => {
         '////foobar.com',
         'http:////foobar.com',
         'https://example.com/foo/<script>alert(\'XSS\')</script>/',
-        'myemail@mail.com',
       ],
     });
   });
@@ -668,6 +669,24 @@ describe('Validators', () => {
     });
   });
 
+  it('should accept urls containing authentication information', () => {
+    test({
+      validator: 'isURL',
+      args: [{ disallow_auth: false }],
+      valid: [
+        'user@example.com',
+        'user:@example.com',
+        'user:password@example.com',
+      ],
+      invalid: [
+        'user:user:password@example.com',
+        '@example.com',
+        ':@example.com',
+        ':example.com',
+      ],
+    });
+  });
+
   it('should allow user to skip URL length validation', () => {
     test({
       validator: 'isURL',