diff --git a/app/schemas.py b/app/schemas.py
index a33a6d47c..ee3b65330 100644
--- a/app/schemas.py
+++ b/app/schemas.py
@@ -140,6 +140,20 @@ class UserUpdateAttributeSchema(BaseSchema):
                 raise ValidationError('Unknown field name {}'.format(key))
 
 
+class UserUpdatePasswordSchema(BaseSchema):
+
+    class Meta:
+        model = models.User
+        only = ('password')
+        strict = True
+
+    @validates_schema(pass_original=True)
+    def check_unknown_fields(self, data, original_data):
+        for key in original_data:
+            if key not in self.fields:
+                raise ValidationError('Unknown field name {}'.format(key))
+
+
 class ProviderDetailsSchema(BaseSchema):
     class Meta:
         model = models.ProviderDetails
@@ -560,6 +574,7 @@ class UnarchivedTemplateSchema(BaseSchema):
 user_schema = UserSchema()
 user_schema_load_json = UserSchema(load_json=True)
 user_update_schema_load_json = UserUpdateAttributeSchema(load_json=True, partial=True)
+user_update_password_schema_load_json = UserUpdatePasswordSchema(load_json=True, partial=True)
 service_schema = ServiceSchema()
 service_schema_load_json = ServiceSchema(load_json=True)
 detailed_service_schema = DetailedServiceSchema()
diff --git a/app/user/rest.py b/app/user/rest.py
index cd7726ae2..5f9dd91ed 100644
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -11,7 +11,8 @@ from app.dao.users_dao import (
     reset_failed_login_count,
     get_user_by_email,
     create_secret_code,
-    save_user_attribute
+    save_user_attribute,
+    update_user_password
 )
 from app.dao.permissions_dao import permission_dao
 from app.dao.services_dao import dao_fetch_service_by_id
@@ -27,7 +28,8 @@ from app.schemas import (
     request_verify_code_schema,
     permission_schema,
     user_schema_load_json,
-    user_update_schema_load_json
+    user_update_schema_load_json,
+    user_update_password_schema_load_json
 )
 
 from app.errors import (
@@ -304,6 +306,19 @@ def send_user_reset_password():
     return jsonify({}), 204
 
 
+@user.route('/<uuid:user_id>/update-password', methods=['POST'])
+def update_password(user_id):
+    user = get_user_by_id(user_id=user_id)
+    req_json = request.get_json()
+    pwd = req_json.get('_password')
+    update_dct, errors = user_update_password_schema_load_json.load(req_json)
+    if errors:
+        raise InvalidRequest(errors, status_code=400)
+
+    update_user_password(user, pwd)
+    return jsonify(data=user_schema.dump(user).data), 200
+
+
 def _create_reset_password_url(email):
     data = json.dumps({'email': email, 'created_at': str(datetime.utcnow())})
     url = '/new-password/'
diff --git a/tests/app/user/test_rest.py b/tests/app/user/test_rest.py
index fde24bff8..303f6de6e 100644
--- a/tests/app/user/test_rest.py
+++ b/tests/app/user/test_rest.py
@@ -117,7 +117,7 @@ def test_post_user_missing_attribute_email(notify_api, notify_db, notify_db_sess
             assert {'email_address': ['Missing data for required field.']} == json_resp['message']
 
 
-def test_post_user_missing_attribute_password(notify_api, notify_db, notify_db_session):
+def test_create_user_missing_attribute_password(notify_api, notify_db, notify_db_session):
     """
     Tests POST endpoint '/' missing attribute password.
     """
@@ -532,3 +532,30 @@ def test_send_user_confirm_new_email_returns_400_when_email_missing(client, samp
     assert resp.status_code == 400
     assert json.loads(resp.get_data(as_text=True))['message'] == {'email': ['Missing data for required field.']}
     mocked.assert_not_called()
+
+
+def test_post_user_update_password(client, sample_service):
+    assert User.query.count() == 1
+    sample_user = sample_service.users[0]
+    new_password = '1234567890'
+    data = {
+        '_password': new_password
+    }
+    auth_header = create_authorization_header()
+    headers = [('Content-Type', 'application/json'), auth_header]
+    resp = client.post(
+        url_for('user.update_password', user_id=sample_user.id),
+        data=json.dumps(data),
+        headers=headers)
+    assert resp.status_code == 200
+    assert User.query.count() == 1
+    json_resp = json.loads(resp.get_data(as_text=True))
+    assert json_resp['data']['password_changed_at'] is not None
+    data = {'password': new_password}
+    auth_header = create_authorization_header()
+    headers = [('Content-Type', 'application/json'), auth_header]
+    resp = client.post(
+        url_for('user.verify_user_password', user_id=str(sample_user.id)),
+        data=json.dumps(data),
+        headers=headers)
+    assert resp.status_code == 204