diff --git a/pkg/server/controllers/users_test.go b/pkg/server/controllers/users_test.go
index eb7e1e09..2ff97acc 100644
--- a/pkg/server/controllers/users_test.go
+++ b/pkg/server/controllers/users_test.go
@@ -139,7 +139,7 @@ func TestJoin(t *testing.T) {
 	}
 }
 
-func TestJoniError(t *testing.T) {
+func TestJoinError(t *testing.T) {
 	t.Run("missing email", func(t *testing.T) {
 		defer testutils.ClearData(testutils.DB)
 
@@ -935,3 +935,134 @@ func TestCreateResetToken(t *testing.T) {
 		assert.Equal(t, tokenCount, 0, "reset_token count mismatch")
 	})
 }
+
+func TestUpdatePassword(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
+		defer testutils.ClearData(testutils.DB)
+
+		// Setup
+		server := MustNewServer(t, &app.App{
+			Clock: clock.NewMock(),
+			Config: config.Config{
+				PageTemplateDir: "../views",
+			},
+		})
+		defer server.Close()
+
+		user := testutils.SetupUserData()
+		testutils.SetupAccountData(user, "alice@example.com", "oldpassword")
+
+		// Execute
+		dat := url.Values{}
+		dat.Set("old_password", "oldpassword")
+		dat.Set("new_password", "newpassword")
+		dat.Set("new_password_confirmation", "newpassword")
+		req := testutils.MakeFormReq(server.URL, "PATCH", "/account/password", dat)
+
+		res := testutils.HTTPAuthDo(t, req, user)
+
+		// Test
+		assert.StatusCodeEquals(t, res, http.StatusFound, "Status code mismsatch")
+
+		var account database.Account
+		testutils.MustExec(t, testutils.DB.Where("user_id = ?", user.ID).First(&account), "finding account")
+
+		passwordErr := bcrypt.CompareHashAndPassword([]byte(account.Password.String), []byte("newpassword"))
+		assert.Equal(t, passwordErr, nil, "Password mismatch")
+	})
+
+	t.Run("old password mismatch", func(t *testing.T) {
+		defer testutils.ClearData(testutils.DB)
+		// Setup
+		server := MustNewServer(t, &app.App{
+			Clock: clock.NewMock(),
+			Config: config.Config{
+				PageTemplateDir: "../views",
+			},
+		})
+		defer server.Close()
+
+		u := testutils.SetupUserData()
+		a := testutils.SetupAccountData(u, "alice@example.com", "oldpassword")
+
+		// Execute
+		dat := url.Values{}
+		dat.Set("old_password", "randompassword")
+		dat.Set("new_password", "newpassword")
+		dat.Set("new_password_confirmation", "newpassword")
+		req := testutils.MakeFormReq(server.URL, "PATCH", "/account/password", dat)
+
+		res := testutils.HTTPAuthDo(t, req, u)
+
+		// Test
+		assert.StatusCodeEquals(t, res, http.StatusUnauthorized, "Status code mismsatch")
+
+		var account database.Account
+		testutils.MustExec(t, testutils.DB.Where("user_id = ?", u.ID).First(&account), "finding account")
+		assert.Equal(t, a.Password.String, account.Password.String, "password should not have been updated")
+	})
+
+	t.Run("password too short", func(t *testing.T) {
+		defer testutils.ClearData(testutils.DB)
+
+		// Setup
+		server := MustNewServer(t, &app.App{
+			Clock: clock.NewMock(),
+			Config: config.Config{
+				PageTemplateDir: "../views",
+			},
+		})
+		defer server.Close()
+
+		u := testutils.SetupUserData()
+		a := testutils.SetupAccountData(u, "alice@example.com", "oldpassword")
+
+		// Execute
+		dat := url.Values{}
+		dat.Set("old_password", "oldpassword")
+		dat.Set("new_password", "a")
+		dat.Set("new_password_confirmation", "a")
+		req := testutils.MakeFormReq(server.URL, "PATCH", "/account/password", dat)
+
+		res := testutils.HTTPAuthDo(t, req, u)
+
+		// Test
+		assert.StatusCodeEquals(t, res, http.StatusBadRequest, "Status code mismsatch")
+
+		var account database.Account
+		testutils.MustExec(t, testutils.DB.Where("user_id = ?", u.ID).First(&account), "finding account")
+		assert.Equal(t, a.Password.String, account.Password.String, "password should not have been updated")
+	})
+
+	t.Run("password confirmation mismatch", func(t *testing.T) {
+		defer testutils.ClearData(testutils.DB)
+
+		// Setup
+		server := MustNewServer(t, &app.App{
+			Clock: clock.NewMock(),
+			Config: config.Config{
+				PageTemplateDir: "../views",
+			},
+		})
+		defer server.Close()
+
+		u := testutils.SetupUserData()
+		a := testutils.SetupAccountData(u, "alice@example.com", "oldpassword")
+
+		// Execute
+		dat := url.Values{}
+		dat.Set("old_password", "oldpassword")
+		dat.Set("new_password", "newpassword1")
+		dat.Set("new_password_confirmation", "newpassword2")
+		req := testutils.MakeFormReq(server.URL, "PATCH", "/account/password", dat)
+
+		res := testutils.HTTPAuthDo(t, req, u)
+
+		// Test
+		assert.StatusCodeEquals(t, res, http.StatusBadRequest, "Status code mismsatch")
+
+		var account database.Account
+		testutils.MustExec(t, testutils.DB.Where("user_id = ?", u.ID).First(&account), "finding account")
+		assert.Equal(t, a.Password.String, account.Password.String, "password should not have been updated")
+	})
+}