diff --git a/apps/users.lua b/apps/users.lua
index ce35cd4..4a2189a 100644
--- a/apps/users.lua
+++ b/apps/users.lua
@@ -116,6 +116,11 @@ app:post("user_delete", "/:username/delete", function(self)
     return {redirect_to = self:url_for("user", {username = self.params.username})}
   end
   
+  if me:is_admin() then
+    util.inject_err_infobox("You can not delete the admin account!")
+    return {redirect_to = self:url_for("user", {username = self.params.username})}
+  end
+  
   if not authenticate_user(target_user, self.params.password) then
     util.inject_err_infobox(self, "The password you entered is incorrect.")
     return {redirect_to = self:url_for("user_delete_confirm", {username = me.username})}
@@ -199,6 +204,35 @@ app:post("user_set_avatar", "/:username/set_avatar", function(self)
   return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
 end)
 
+app:post("user_change_password", "/:username/new_password", function(self)
+  local me = util.get_logged_in_user(self)
+  if not me then
+    return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+  end
+  local target_user = Users:find({username = self.params.username})
+  if me.id ~= target_user.id then
+    return {redirect_to = self:url_for("user", {username = self.params.username})}
+  end
+  local password = self.params.new_password
+  local password2 = self.params.new_password2
+  if not validate_password(password) then
+    util.inject_err_infobox(self, "Password must be 10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces.")
+    return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+  end
+  
+  if password ~= password2 then
+    util.inject_err_infobox(self, "Passwords do not match.")
+    return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+  end
+  
+  me:update({
+    password_hash = auth.digest(password)
+  })
+  util.extend_session_cookie(self)
+  util.inject_infobox(self, "Password updated.")
+  return {redirect_to = self:url_for("user_settings", {username = self.params.username})}
+end)
+
 app:get("user_settings", "/:username/settings", function(self)
   local me = util.get_logged_in_user(self)
   if me == nil then
@@ -345,6 +379,7 @@ app:post("user_logout", "/logout", function (self)
 
   local session = Sessions:find({key = self.session.session_key})
   session:delete()
+  self.session = nil
   return {redirect_to = self:url_for("user_login")}
 end)
 
diff --git a/util.lua b/util.lua
index 7c158ba..c55b84f 100644
--- a/util.lua
+++ b/util.lua
@@ -165,6 +165,10 @@ end
 
 -- OTHER API
 
+function util.extend_session_cookie(req)
+  req.session.last_activity = os.time()
+end
+
 function util.validate_and_create_image(input_image, filename)
   local img = magick.load_image_from_blob(input_image)
 
diff --git a/views/user/settings.etlua b/views/user/settings.etlua
index 874a479..8583095 100644
--- a/views/user/settings.etlua
+++ b/views/user/settings.etlua
@@ -21,7 +21,16 @@
     <% render("views.common.babycode-editor-component", {ta_name = "signature", prefill = me.signature_original_markup, ta_placeholder = "Will be shown under each of your posts", optional = true}) %>
     <input type="submit" value="Save settings">
   </form>
-  <div>
-  <a class="linkbutton critical" href="<%= url_for("user_delete_confirm", {username = me.username}) %>">Delete account</a>
-  </div>
+  <form method="post" action="<%= url_for("user_change_password", {username = me.username}) %>">
+    <label for="new_password">Change password</label><br>
+    <input type="password" id="new_password" name="new_password" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
+    <label for="new_password2">Confirm new password</label><br>
+    <input type="password" id="new_password2" name="new_password2" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
+    <input class="warn" type="submit" value="Change password">
+  </form>
+  <% if not me:is_admin() then %>
+    <div>
+      <a class="linkbutton critical" href="<%= url_for("user_delete_confirm", {username = me.username}) %>">Delete account</a>
+    </div>
+  <% end %>
 </div>