diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
new file mode 100644
index 0000000..2197e01
--- /dev/null
+++ b/app/controllers/passwords_controller.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class PasswordsController < ApplicationController
+  def edit
+    @user = Current.user
+  end
+
+  def update
+    if Current.user.update!(password_params)
+      redirect_to Current.user, notice: t(".success")
+    else
+      flash.now[:alert] = t(".error")
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+    def password_params
+      params.require(:user).permit(
+        :password_challenge,
+        :password,
+        :password_confirmation,
+      )
+    end
+end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 95d6a5f..1298ece 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -55,9 +55,6 @@ class UsersController < ApplicationController
 
     def existing_user_params
       params.require(:user).permit(
-        :password,
-        :password_confirmation,
-        :password_challenge,
         :first_name,
         :last_name,
         :profile,
diff --git a/app/views/passwords/edit.html.erb b/app/views/passwords/edit.html.erb
new file mode 100644
index 0000000..68027c0
--- /dev/null
+++ b/app/views/passwords/edit.html.erb
@@ -0,0 +1,21 @@
+<%= content_for :title, t(".change_password") %>
+
+<h2><%= t(".change_password") %></h2>
+
+<section class="inset">
+  <%= form_with model: @user, url: user_password_path(@user), method: :patch do |f| %>
+    <%= f.label :password_challenge, t(".current_password") %>
+    <%= f.password_field :password_challenge %>
+    <%= display_form_errors(@user, :password_challenge) %>
+
+    <%= f.label :password %>
+    <%= f.password_field :password %>
+    <%= display_form_errors(@user, :password) %>
+
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation %>
+    <%= display_form_errors(@user, :password_confirmation) %>
+
+    <%= f.submit t(".update_password") %>
+  <% end %>
+</section>
diff --git a/app/views/users/_form.html.erb b/app/views/users/_form.html.erb
index d001b30..fb0e3cf 100644
--- a/app/views/users/_form.html.erb
+++ b/app/views/users/_form.html.erb
@@ -18,25 +18,19 @@
     <%= f.text_field :email, required: true, disabled: user.persisted? %>
     <%= display_form_errors(user, :email) %>
 
-    <fieldset>
-      <legend><%= t(".password") %></legend>
+    <% if user.new_record? %>
+      <fieldset>
+        <legend><%= t(".password") %></legend>
 
-      <% if user.persisted? %>
-        <%= f.label :password_challenge, t(".current_password") %>
-        <%= f.password_field :password_challenge, required: user.new_record? %>
-        <%= display_form_errors(user, :password_challenge) %>
+        <%= f.label :password %>
+        <%= f.password_field :password, required: user.new_record? %>
+        <%= display_form_errors(user, :password) %>
 
-        <p><%= t(".password_hint") %></p>
-      <% end %>
-
-      <%= f.label :password %>
-      <%= f.password_field :password, required: user.new_record? %>
-      <%= display_form_errors(user, :password) %>
-
-      <%= f.label :password_confirmation %>
-      <%= f.password_field :password_confirmation, required: user.new_record? %>
-      <%= display_form_errors(user, :password_confirmation) %>
-    </fieldset>
+        <%= f.label :password_confirmation %>
+        <%= f.password_field :password_confirmation, required: user.new_record? %>
+        <%= display_form_errors(user, :password_confirmation) %>
+      </fieldset>
+    <% end %>
 
     <hr>
 
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
index dce3cfd..c018090 100644
--- a/app/views/users/edit.html.erb
+++ b/app/views/users/edit.html.erb
@@ -4,3 +4,7 @@
 
 <%= render partial: "users/form",
            locals: { user: @user, button_text: t(".update_profile") } %>
+
+<section class="inset">
+  <%= link_to t(".update_password"), edit_user_password_path(Current.user) %>
+</section>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 87f966a..567f0a0 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -71,6 +71,15 @@ en:
       invalid_token: That token seems to have expired, please try resettting your password again.
       success: Your password has been reset, you may now log in.
       error: Failed to reset password. Please try again or contact us for help.
+  passwords:
+    edit:
+      change_password: Change your password
+      current_password: Current password
+      update_password: Update password
+    update:
+      success: Your password has been updated
+      error: Failed to update password
+
   sessions:
     create:
       success: "Hello, %{name}!"
@@ -156,10 +165,12 @@ en:
     edit:
       edit_profile: Edit profile
       update_profile: Update profile
+      update_password: Change your password
     form:
       password: Password
       password_hint: To keep your existing password, leave the below fields blank
       current_password: Current password
+      update_password: Change your password
     update:
       success: Your profile has been updated
       error: Failed to update profile
@@ -183,4 +194,3 @@ en:
         If you did not request a password reset, please ignore this email.
 
         Otherwise, please visit the link below to reset your password.
-
diff --git a/config/routes.rb b/config/routes.rb
index a21bb2f..6a04b64 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -8,7 +8,9 @@ Rails.application.routes.draw do
   get "login" => "sessions#new", as: :login
   delete "logout" => "sessions#destroy", as: :logout
 
-  resources :users, only: [ :new, :create, :show, :edit, :update ]
+  resources :users, only: [ :new, :create, :show, :edit, :update ] do
+    resource :password, only: [ :edit, :update ]
+  end
   resources :account_verifications, only: [ :show ]
   resources :password_resets, only: [ :new, :create, :edit, :update ]
   resources :sessions, only: [ :new, :create, :destroy ]
diff --git a/test/controllers/password_controller_test.rb b/test/controllers/password_controller_test.rb
new file mode 100644
index 0000000..ffb3e37
--- /dev/null
+++ b/test/controllers/password_controller_test.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class PasswordsControllerTest < ActionDispatch::IntegrationTest
+  test "should get edit" do
+    user = users(:trevor)
+    sign_in user
+    get edit_user_password_path(user)
+    assert_response :success
+  end
+
+  test "should update password" do
+    user = users(:trevor)
+    sign_in user
+    patch user_password_path(user), params: { user: { password: "new_password", password_confirmation: "new_password" } }
+    assert_redirected_to user_path(user)
+    assert user.reload.authenticate("new_password")
+  end
+end
diff --git a/todo.md b/todo.md
index 5648ce7..2a30609 100644
--- a/todo.md
+++ b/todo.md
@@ -1,10 +1,9 @@
 - avatars
   - delete avatar
   - default avatars
-- discrete password page
 - shared/private notes
-- notifications
 - Add characters to users/tables
 - Character sheets/prototypes
+- notifications
 - chat
 - maps