diff --git a/modules/user.py b/modules/user.py
index 1c647612e80b4e30505fd39b7e82185187be8e13..9f9621882cdfb0816057f7c236b390043b164df9 100644
--- a/modules/user.py
+++ b/modules/user.py
@@ -92,7 +92,7 @@ def add_new_user():
     user_id = form.get("user_id")
     password = form.get("password")
     #hashing paswword 
-    hash_pass = generate_password_hash(password);
+    hash_pass = generate_password_hash(password)
     username = form.get("username")
     name = form.get("name")
     role = form.get("role")
@@ -136,6 +136,35 @@ def delete_user(user):
             "status": 200,
             "message": "User deleted successfully"
         })
+    except Exception as e:
+        return jsonify({
+            "status": 500,
+            "message": str(e)
+        })
+
+
+@user_route.route('/api/change-password', methods=["POST"])
+@validate_login_token(pass_user=True)
+def change_password(user):
+    try:
+        current_password = request.get_json().get("current_password")
+        new_password = request.get_json().get("new_password")
+        is_password_match = check_password_hash(user.password, current_password)
+
+        if len(user) > 0 and is_password_match:
+            hash_pass = generate_password_hash(new_password)
+            user.password = hash_pass
+            user.save()
+
+            return jsonify({
+                "status": 200,
+                "message": "Password changed"
+            })
+        else:
+            return jsonify({
+                "status": 500,
+                "message": "Password do not match"
+            })
     except Exception as e:
         return jsonify({
             "status": 500,
diff --git a/readme.md b/readme.md
index 514d1f37354ba6af4ffbc7cb9ea11c2cbb935c22..3ece2f48654118b93c77ab0b53e511aa71a80d09 100644
--- a/readme.md
+++ b/readme.md
@@ -27,7 +27,7 @@ python app.py
 
 Berikut adalah API endpoints dari backend server VIS-MASY:
 
-### Login dan Register
+### User
 
 * #### /api/login
     Method: POST  
@@ -65,6 +65,12 @@ Berikut adalah API endpoints dari backend server VIS-MASY:
     Response: status, message  
     Menghapus pengguna dengan user_id jika authorization header untuk admin, atau menghapus pengguna dalam authorization header jika user_id tidak diberikan.
 
+* #### /api/change-password
+    Method: POST
+    Data request: Authorization header, current_password, new_password
+    Response: status, message
+    Mengubah kata sandi pengguna apabila current_password dan password pengguna yang tersimpan di basis data sudah cocok. Kata sandi yang baru adalah new_password yang telah di-*hash*.
+
 ### Page (High Level)
 
 * #### /api/page/get-top