diff --git a/src/api/users.js b/src/api/users.js
index 54b26d1845..9b16717aac 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -23,19 +23,28 @@ usersAPI.create = async function (caller, data) {
 };
 
 usersAPI.update = async function (caller, data) {
+	if (!caller.uid) {
+		throw new Error('[[error:invalid-uid]]');
+	}
+
+	if (!data || !data.uid) {
+		throw new Error('[[error:invalid-data]]');
+	}
+
 	const oldUserData = await user.getUserFields(data.uid, ['email', 'username']);
 	if (!oldUserData || !oldUserData.username) {
 		throw new Error('[[error:invalid-data]]');
 	}
 
-	const [isAdminOrGlobalMod, canEdit, passwordMatch] = await Promise.all([
+	const [isAdminOrGlobalMod, canEdit, hasPassword, passwordMatch] = await Promise.all([
 		user.isAdminOrGlobalMod(caller.uid),
 		privileges.users.canEdit(caller.uid, data.uid),
+		user.hasPassword(data.uid),
 		data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false,
 	]);
 
 	// Changing own email/username requires password confirmation
-	if (['email', 'username'].some(prop => Object.keys(data).includes(prop)) && !isAdminOrGlobalMod && caller.uid === data.uid && !passwordMatch) {
+	if (['email', 'username'].some(prop => Object.keys(data).includes(prop)) && !isAdminOrGlobalMod && caller.uid === data.uid && hasPassword && !passwordMatch) {
 		throw new Error('[[error:invalid-password]]');
 	}
 
@@ -69,6 +78,8 @@ usersAPI.update = async function (caller, data) {
 	if (userData.username !== oldUserData.username) {
 		await log('username-change', { oldUsername: oldUserData.username, newUsername: userData.username });
 	}
+
+	return userData;
 };
 
 usersAPI.delete = async function (caller, data) {
diff --git a/test/user.js b/test/user.js
index 060137e3d4..d0a9d337e6 100644
--- a/test/user.js
+++ b/test/user.js
@@ -805,6 +805,7 @@ describe('User', function () {
 					groupTitle: 'testGroup',
 					birthday: '01/01/1980',
 					signature: 'nodebb is good',
+					password: '123456',
 				};
 				socketUser.updateProfile({ uid: uid }, data, function (err, result) {
 					assert.ifError(err);
@@ -816,7 +817,11 @@ describe('User', function () {
 					db.getObject('user:' + uid, function (err, userData) {
 						assert.ifError(err);
 						Object.keys(data).forEach(function (key) {
-							assert.equal(data[key], userData[key]);
+							if (key !== 'password') {
+								assert.equal(data[key], userData[key]);
+							} else {
+								assert(userData[key].startsWith('$2a$'));
+							}
 						});
 						done();
 					});