diff --git a/src/db/user.rs b/src/db/user.rs
index 1caaf98..b47d800 100644
--- a/src/db/user.rs
+++ b/src/db/user.rs
@@ -58,6 +58,13 @@ pub async fn update_info(
 	Ok(())
 }
 
+pub async fn update_password(db: &mut DbHook, id: &Uuid, password: &str) -> sqlx::Result<()> {
+	sqlx::query!("update users set password = $1 where id = $2", password, id)
+		.execute(&mut **db)
+		.await?;
+	Ok(())
+}
+
 pub async fn delete(trx: &mut TrxHook<'_>, id: &Uuid) -> sqlx::Result<()> {
 	sqlx::query!("delete from users where id = $1", id)
 		.execute(&mut **trx)
diff --git a/src/routes/account.rs b/src/routes/account.rs
index 96cf872..9cf38d3 100644
--- a/src/routes/account.rs
+++ b/src/routes/account.rs
@@ -3,14 +3,15 @@ use rocket::{
 	http::CookieJar,
 	response::Redirect,
 	serde::{json::Json, Serialize},
+	tokio::task,
 };
 use rocket_dyn_templates::{context, Template};
 use sqlx::Acquire;
 
 use crate::{
-	auth::session,
+	auth::{pw, session},
 	db::{
-		self, doll,
+		doll,
 		schema::{DollProfile, DollTagsDb, User},
 		user,
 	},
@@ -132,12 +133,52 @@ pub fn validate_new_passwords<'v>(new: &str, confirm: &str) -> form::Result<'v,
 }
 
 #[post("/settings/password", data = "<form>")]
-pub fn change_password(
+pub async fn change_password(
+	mut db: DollTagsDb,
 	user: User,
 	meta: CommonTemplateState,
-	form: Form<Contextual<'_, PasswordSettings<'_>>>,
-) -> Template {
-	todo!("meow");
+	mut form: Form<Contextual<'_, PasswordSettings<'_>>>,
+) -> PageResult {
+	let values = match form.value {
+		Some(ref v) => v,
+		None => {
+			return Ok(Template::render(
+				"account/settings",
+				context! {
+					user,
+					meta,
+					prev_common: form::Context::default(),
+					prev_password: &form.context,
+				},
+			)
+			.into())
+		}
+	};
+
+	let password = String::from(values.old_password);
+	let old_password = user.password.clone();
+	let right_password =
+		task::spawn_blocking(move || pw::verify(&password, &old_password)).await??;
+	if !right_password {
+		form.context
+			.push_error(Error::validation("wrong password").with_name("old_password"));
+		return Ok(Template::render(
+			"account/settings",
+			context! {
+				user,
+				meta,
+				prev_common: form::Context::default(),
+				prev_password: &form.context,
+			},
+		)
+		.into());
+	}
+
+	let new_password = String::from(values.password);
+	let new_password_hash = task::spawn_blocking(move || pw::hash(&new_password)).await??;
+	user::update_password(&mut *db, &user.id, &new_password_hash).await?;
+
+	Ok(Redirect::to(uri!("/account", show_settings)).into())
 }
 
 #[derive(Debug, Serialize)]