diff --git a/application/auth/routes.py b/application/auth/routes.py
index 043aaf9..b37b025 100644
--- a/application/auth/routes.py
+++ b/application/auth/routes.py
@@ -1,8 +1,9 @@
-from flask import Blueprint, request, render_template
+from flask import Blueprint, request, render_template, redirect, url_for
 from flask_login import current_user, login_user
-from forms import LoginForm
+from forms import LoginForm, ChangePasswordForm
 from models import User
 from application.utils import default_return
+from application import db
 
 bp = Blueprint(
     "auth",
@@ -28,3 +29,22 @@ def login():
             pass
             # invalid user
     return render_template("login.html", form=form)
+
+
+@bp.route("/change_password", methods=["GET", "POST"])
+def change_password():
+    if not current_user.is_authenticated:
+        return redirect(url_for("auth.login"))
+
+    form = ChangePasswordForm()
+    if form.validate_on_submit():
+        cur_check = current_user.check_password(
+            password=form.current_password.data
+        )
+        eq_check = form.new_password.data == form.confirm_password.data
+        if cur_check and eq_check:
+            current_user.change_password(form.new_password.data)
+            current_user.set_pw_change(False)
+            db.session.commit()
+            return default_return()
+    return render_template("change_password.html", form=form)
diff --git a/application/auth/templates/change_password.html b/application/auth/templates/change_password.html
new file mode 100644
index 0000000..11a470c
--- /dev/null
+++ b/application/auth/templates/change_password.html
@@ -0,0 +1,46 @@
+{% extends "base.html" %}
+
+{% block content %}
+<div class="container d-flex justify-content-center align-items-center">
+    <div class="card shadow-sm p-4" style="width: 100%; max-width: 400px;">
+        <h3 class="mb-4 text-center">Login</h3>
+        <form method="post">
+            {{ form.hidden_tag() }}
+
+            <div class="mb-3">
+                {{ form.current_password.label(class="form-label") }}
+                {{ form.current_password(class="form-control", placeholder="") }}
+                {% if form.current_password.errors %}
+                <div class="text-danger small">
+                    {{ form.current_password.errors[0] }}
+                </div>
+                {% endif %}
+            </div>
+
+            <div class="mb-3">
+                {{ form.new_password.label(class="form-label") }}
+                {{ form.new_password(class="form-control", placeholder="Enter password") }}
+                {% if form.new_password.errors %}
+                <div class="text-danger small">
+                    {{ form.new_password.errors[0] }}
+                </div>
+                {% endif %}
+            </div>
+
+            <div class="mb-3">
+                {{ form.confirm_password.label(class="form-label") }}
+                {{ form.confirm_password(class="form-control", placeholder="Enter password") }}
+                {% if form.confirm_password.errors %}
+                <div class="text-danger small">
+                    {{ form.confirm_password.errors[0] }}
+                </div>
+                {% endif %}
+            </div>
+
+            <div class="d-grid">
+                {{ form.submit(class="btn btn-primary btn-lg") }}
+            </div>
+        </form>
+    </div>
+</div>
+{% endblock%}
\ No newline at end of file
diff --git a/application/auth/templates/login.html b/application/auth/templates/login.html
index e65d635..69597be 100644
--- a/application/auth/templates/login.html
+++ b/application/auth/templates/login.html
@@ -4,7 +4,7 @@
 <div class="container d-flex justify-content-center align-items-center">
     <div class="card shadow-sm p-4" style="width: 100%; max-width: 400px;">
         <h3 class="mb-4 text-center">Login</h3>
-        <form method="post" novalidate>
+        <form method="post">
             {{ form.hidden_tag() }}
 
             <div class="mb-3">
diff --git a/application/templates/base.html b/application/templates/base.html
index 7323c8f..37428ff 100644
--- a/application/templates/base.html
+++ b/application/templates/base.html
@@ -36,7 +36,7 @@
                         </li>
                         {% else %}
                         <li class="nav-item">
-                            <a class="nav-link" href="{{ url_for('login') }}">Login</a>
+                            <a class="nav-link" href="{{ url_for('auth.login') }}">Login</a>
                         </li>
                         {% endif %}
                         <li class="nav-item">
diff --git a/application/utils.py b/application/utils.py
index 3cb5a5b..6631122 100644
--- a/application/utils.py
+++ b/application/utils.py
@@ -6,7 +6,7 @@ from typing import Optional
 def login_required():
     if not current_user.is_authenticated:
         return redirect(url_for("auth.login"))
-        # if current_user.must_change_password:
+    if current_user.must_change_password:
         flash("You have to change your password")
         return redirect(url_for("auth.change_password"))
     return
diff --git a/forms.py b/forms.py
index 70c64ab..0497b9e 100644
--- a/forms.py
+++ b/forms.py
@@ -11,7 +11,18 @@ from wtforms.validators import DataRequired, InputRequired, Optional
 class LoginForm(FlaskForm):
     username = StringField("Username", validators=[DataRequired()])
     password = PasswordField("Password", validators=[DataRequired()])
-    submit = SubmitField("auth.login")
+    submit = SubmitField("Log in")
+
+
+class ChangePasswordForm(FlaskForm):
+    current_password = PasswordField(
+        "Current password", validators=[DataRequired()]
+    )
+    new_password = PasswordField("New password", validators=[DataRequired()])
+    confirm_password = PasswordField(
+        "Confirm new password", validators=[DataRequired()]
+    )
+    submit = SubmitField("Change password")
 
 
 class FoodItemForm(FlaskForm):
diff --git a/models.py b/models.py
index dd1226c..22ca4b8 100644
--- a/models.py
+++ b/models.py
@@ -36,6 +36,9 @@ class User(UserMixin, db.Model):
     def change_password(self, password: str) -> None:
         self.password = generate_password_hash(password=password)
 
+    def set_pw_change(self, change: bool) -> None:
+        self.must_change_password = change
+
 
 class Unit(db.Model):
     __tablename__ = "unit"