diff --git a/cli.go b/cli.go
index 72ec218e76..4f25071d10 100644
--- a/cli.go
+++ b/cli.go
@@ -365,6 +365,16 @@ func getConfig() (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	stat, err := os.Stat(scwrcPath)
+	// we don't care if it fails, the user just won't see the warning
+	if err == nil {
+		mode := stat.Mode()
+		if mode&0066 != 0 {
+			log.Fatalf("Permissions %#o for .scwrc are too open.", mode)
+		}
+	}
+
 	file, err := ioutil.ReadFile(scwrcPath)
 	if err != nil {
 		return nil, err
diff --git a/login.go b/login.go
index b42f847fb3..d0f2a1e4d2 100644
--- a/login.go
+++ b/login.go
@@ -57,8 +57,10 @@ func runLogin(cmd *Command, args []string) {
 		cmd.PrintShortUsage()
 	}
 
-	if len(organization) == 0 && len(token) == 0 {
+	if len(organization) == 0 {
 		promptUser("Organization: ", &organization, true)
+	}
+	if len(token) == 0 {
 		promptUser("Token: ", &token, false)
 	}
 
@@ -81,7 +83,7 @@ func runLogin(cmd *Command, args []string) {
 	if err != nil {
 		log.Fatalf("Unable to get scwrc config file path: %s", err)
 	}
-	scwrc, err := os.OpenFile(scwrcPath, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0644)
+	scwrc, err := os.OpenFile(scwrcPath, os.O_CREATE|os.O_TRUNC|os.O_RDWR, 0600)
 	if err != nil {
 		log.Fatalf("Unable to create scwrc config file: %s", err)
 	}