diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index 41278a482..9391d330e 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -1,31 +1,20 @@
 class PasswordsController < ApplicationController
-  before_action :member_only
   respond_to :html, :xml, :json
 
   def edit
-    @user = User.find(params[:user_id])
-    check_privilege(@user)
-
+    @user = authorize User.find(params[:user_id]), policy_class: PasswordPolicy
     respond_with(@user)
   end
 
   def update
-    @user = User.find(params[:user_id])
-    check_privilege(@user)
-
+    @user = authorize User.find(params[:user_id]), policy_class: PasswordPolicy
     @user.update(user_params)
     flash[:notice] = @user.errors.none? ? "Password updated" : @user.errors.full_messages.join("; ")
 
     respond_with(@user, location: @user)
   end
 
-  private
-
-  def check_privilege(user)
-    raise User::PrivilegeError unless user.id == CurrentUser.id || CurrentUser.is_admin?
-  end
-
   def user_params
-    params.require(:user).permit(%i[signed_user_id old_password password password_confirmation])
+    params.fetch(:user, {}).permit(policy(:password).permitted_attributes)
   end
 end
diff --git a/app/policies/password_policy.rb b/app/policies/password_policy.rb
new file mode 100644
index 000000000..de693f981
--- /dev/null
+++ b/app/policies/password_policy.rb
@@ -0,0 +1,9 @@
+class PasswordPolicy < ApplicationPolicy
+  def update?
+    record.id == user.id || user.is_admin?
+  end
+
+  def permitted_attributes
+    [:signed_user_id, :old_password, :password, :password_confirmation]
+  end
+end