diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index a65b1f137..e66425a80 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -10,6 +10,10 @@ class UsersController < ApplicationController
       bypass_sign_in @user
       flash[:notice] = I18n.t("devise.passwords.updated") if user_params.key?("password")
       redirect_to user_path(@user)
+    elsif user_params.key?("password")
+      render :edit_password, status: :unprocessable_entity
+    else
+      render :edit, status: :unprocessable_entity
     end
   end
 
@@ -48,7 +52,7 @@ private
   end
 
   def user_params
-    params.require(:user).permit(:email, :name, :password, :role)
+    params.require(:user).permit(:email, :name, :password, :password_confirmation, :role)
   end
 
   def find_resource
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
index 3d4d5e7b8..f355ba993 100644
--- a/app/views/users/edit.html.erb
+++ b/app/views/users/edit.html.erb
@@ -10,6 +10,8 @@
 <%= form_for(current_user, as: :user, html: { method: :patch }) do |f| %>
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
+      <%= f.govuk_error_summary %>
+
       <h1 class="govuk-heading-l">
         <%= content_for(:title) %>
       </h1>
diff --git a/app/views/users/edit_password.html.erb b/app/views/users/edit_password.html.erb
index e95f4e869..9c1f29088 100644
--- a/app/views/users/edit_password.html.erb
+++ b/app/views/users/edit_password.html.erb
@@ -7,23 +7,25 @@
   ) %>
 <% end %>
 
-<%= form_for(current_user, as: :user, html: { method: :patch }) do |f| %>
+<%= form_for(@user, as: :user, html: { method: :patch }) do |f| %>
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
+      <%= f.govuk_error_summary %>
+
       <h1 class="govuk-heading-l">
         <%= content_for(:title) %>
       </h1>
 
-      <%= f.govuk_password_field :current_password,
-        label: { text: "Current password" },
-        autocomplete: "current-password"
-      %>
-
       <%= f.govuk_password_field :password,
+        label: { text: "New password" },
         hint: @minimum_password_length ? { text: "Your password must be at least #{@minimum_password_length} characters and hard to guess." } : nil,
         autocomplete: "new-password"
       %>
 
+      <%= f.govuk_password_field :password_confirmation,
+        label: { text: "Confirm new password" }
+      %>
+
       <%= f.govuk_submit "Update" %>
     </div>
   </div>
diff --git a/app/views/users/reset_password.html.erb b/app/views/users/reset_password.html.erb
index 656eaa264..e12a0beed 100644
--- a/app/views/users/reset_password.html.erb
+++ b/app/views/users/reset_password.html.erb
@@ -11,6 +11,8 @@
   <%= f.hidden_field :reset_password_token %>
   <div class="govuk-grid-row">
     <div class="govuk-grid-column-two-thirds">
+      <%= f.govuk_error_summary %>
+
       <h1 class="govuk-heading-l">
         <%= content_for(:title) %>
       </h1>
diff --git a/spec/requests/user_controller_spec.rb b/spec/requests/user_controller_spec.rb
index c247ced48..ad7294469 100644
--- a/spec/requests/user_controller_spec.rb
+++ b/spec/requests/user_controller_spec.rb
@@ -44,6 +44,24 @@ RSpec.describe UsersController, type: :request do
         get "/users/password/edit?reset_password_token=#{enc}"
         expect(page).to have_css("h1", class: "govuk-heading-l", text: "Reset your password")
       end
+
+      context "update password" do
+        let(:params) do
+          {
+            id: user.id, user: { password: new_value, password_confirmation: "something_else" }
+          }
+        end
+
+        before do
+          sign_in user
+          put "/users/#{user.id}", headers: headers, params: params
+        end
+
+        it "shows an error if passwords don't match" do
+          expect(response).to have_http_status(:unprocessable_entity)
+          expect(page).to have_selector("#error-summary-title")
+        end
+      end
     end
   end
 
@@ -144,5 +162,23 @@ RSpec.describe UsersController, type: :request do
         expect(response).to have_http_status(:not_found)
       end
     end
+
+    context "update password" do
+      let(:params) do
+        {
+          id: user.id, user: { password: new_value, password_confirmation: "something_else" }
+        }
+      end
+
+      before do
+        sign_in user
+        patch "/users/#{user.id}", headers: headers, params: params
+      end
+
+      it "shows an error if passwords don't match" do
+        expect(response).to have_http_status(:unprocessable_entity)
+        expect(page).to have_selector("#error-summary-title")
+      end
+    end
   end
 end