diff --git a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java
index 3b2803e43f..411b978acc 100644
--- a/source/java/org/alfresco/rest/api/impl/PeopleImpl.java
+++ b/source/java/org/alfresco/rest/api/impl/PeopleImpl.java
@@ -519,6 +519,10 @@ public class PeopleImpl implements People
             // The user is not an admin user and is not attempting to update *their own* details.
             throw new PermissionDeniedException();
         }
+        if (!isAdminAuthority() && person.getOldPassword() != null && person.getPassword() == null)
+        {
+            throw new IllegalArgumentException("To change password, both 'oldPassword' and 'password' fields are required.");
+        }
 
         final String personIdToUpdate = validatePerson(personId);
         final Map<QName, Serializable> properties = person.toProperties();
diff --git a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java
index 1369c47c92..4a1eca19d9 100644
--- a/source/test-java/org/alfresco/rest/api/tests/TestPeople.java
+++ b/source/test-java/org/alfresco/rest/api/tests/TestPeople.java
@@ -1030,6 +1030,10 @@ public class TestPeople extends EnterpriseTestApi
 
         // update with no oldPassword
         people.update(me.getId(), qjson("{ `password`:`newpassword456` }"), 403);
+
+        // update with no password
+        people.update(me.getId(), qjson("{ `oldPassword`:`newpassword456`, `password`:`` }"), 400);
+        people.update(me.getId(), qjson("{ `oldPassword`:`newpassword456` }"), 400);
     }
 
     @Test