diff --git a/kernelci/api/latest.py b/kernelci/api/latest.py
index a3213a7b0a..4c5d5a96f5 100644
--- a/kernelci/api/latest.py
+++ b/kernelci/api/latest.py
@@ -51,6 +51,19 @@ def whoami(self) -> dict:
     def password_hash(self, password: str) -> dict:
         return self._post('/hash', {'password': password}).json()
 
+    def change_password(self, username: str, current: str, new: str) -> dict:
+        """Change a password for a given user"""
+        return self._post(
+            '/password',
+            {
+                'current_password': {'password': current},
+                'new_password': {'password': new},
+            },
+            {
+                'username': username,
+            },
+        ).json()
+
     def create_token(self, username: str, password: str,
                      scopes: Optional[Sequence[str]] = None) -> str:
         data = {
diff --git a/kernelci/cli/user.py b/kernelci/cli/user.py
index 4e4db5ce63..6f012c1136 100644
--- a/kernelci/cli/user.py
+++ b/kernelci/cli/user.py
@@ -50,6 +50,21 @@ def _api_call(self, api, configs, args):
         return True
 
 
+class cmd_change_password(APICommand):  # pylint: disable=invalid-name
+    """Change a password for a given user"""
+    args = APICommand.args + [Args.username]
+
+    def _api_call(self, api, configs, args):
+        current = getpass.getpass("Current password: ")
+        new = getpass.getpass("New password: ")
+        retyped = getpass.getpass("Retype new password: ")
+        if new != retyped:
+            print("Sorry, passwords do not match.")
+            return False
+        api.change_password(args.username, current, new)
+        return True
+
+
 class cmd_get_group(APICommand):  # pylint: disable=invalid-name
     """Get a user group with a given ID"""
     args = APICommand.args + [Args.group_id]