diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index 0e78f9c2e..f5fcc40e0 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -9,7 +9,7 @@ class PasswordsController < ApplicationController
   def update
     @user = authorize User.find(params[:user_id]), policy_class: PasswordPolicy
 
-    if @user.authenticate_password(params[:user][:old_password]) || @user.authenticate_login_key(params[:user][:signed_user_id])
+    if @user.authenticate_password(params[:user][:old_password]) || @user.authenticate_login_key(params[:user][:signed_user_id]) || CurrentUser.user.is_owner?
       @user.update(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation])
     else
       @user.errors.add(:base, "Incorrect password")
diff --git a/app/policies/password_policy.rb b/app/policies/password_policy.rb
index a315c507e..3c34af574 100644
--- a/app/policies/password_policy.rb
+++ b/app/policies/password_policy.rb
@@ -1,5 +1,5 @@
 class PasswordPolicy < ApplicationPolicy
   def update?
-    record.id == user.id || user.is_admin?
+    record.id == user.id || user.is_owner?
   end
 end
diff --git a/test/functional/passwords_controller_test.rb b/test/functional/passwords_controller_test.rb
index aae7c9acb..f865957f2 100644
--- a/test/functional/passwords_controller_test.rb
+++ b/test/functional/passwords_controller_test.rb
@@ -31,6 +31,24 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
         assert_equal(@user, @user.authenticate_password("abcde"))
       end
 
+      should "allow the site owner to change the password of other users" do
+        @owner = create(:owner_user)
+        put_auth user_password_path(@user), @owner, params: { user: { password: "abcde", password_confirmation: "abcde" } }
+
+        assert_redirected_to @user
+        assert_equal(false, @user.reload.authenticate_password("12345"))
+        assert_equal(@user, @user.authenticate_password("abcde"))
+      end
+
+      should "not allow non-owners to change the password of other users" do
+        @admin = create(:admin_user)
+        put_auth user_password_path(@user), @admin, params: { user: { old_password: "12345", password: "abcde", password_confirmation: "abcde" } }
+
+        assert_response 403
+        assert_equal(@user, @user.reload.authenticate_password("12345"))
+        assert_equal(false, @user.authenticate_password("abcde"))
+      end
+
       should "not update the password when given an invalid old password" do
         put_auth user_password_path(@user), @user, params: { user: { old_password: "3qoirjqe", password: "abcde", password_confirmation: "abcde" } }