diff --git a/security.api.go b/security.api.go
index 9d25505..7e64c44 100644
--- a/security.api.go
+++ b/security.api.go
@@ -36,12 +36,12 @@ func (securityApi *SecurityAPI) updatePassword(router *mux.Router) {
 	router.Handle(
 		SecurityAPIExtURLStub+"{account_uuid}",
 		APIHandler(func(w http.ResponseWriter, r *http.Request) {
+			var security Security
 			params := mux.Vars(r)
-			accountUUID := params["account_uuid"]
-			var passwordData Security
 			body, _ := ioutil.ReadAll(r.Body)
-			json.Unmarshal(body, &passwordData)
-			securityApi.model.UpdatePasswordByUUID(db.Get(), passwordData.Password, accountUUID)
+			json.Unmarshal(body, &security)
+			security.AccountUUID = params["account_uuid"]
+			security.UpdatePasswordByUUID(db.Get())
 			response := APIResponse{
 				Code:    SecurityAPIErrorPasswordChangeOk,
 				Message: "ok",
diff --git a/security.go b/security.go
index 173ec15..f4a452c 100644
--- a/security.go
+++ b/security.go
@@ -6,34 +6,37 @@ import (
 
 // Security module for handling security related account data
 type Security struct {
-	Password string `json:"password"`
+	AccountUUID    string `json:"account_uuid"`
+	Password       string `json:"password"`
+	HashedPassword string `json:"hashed_password"`
 }
 
 // UpdatePasswordByUUID sets the password of the user identified by account UUID :accountUUID
 // to the :password.
-func (security *Security) UpdatePasswordByUUID(database *sql.DB, password string, accountUUID string) {
-	if err := utils.ValidatePassword(password); err != nil {
+func (security *Security) UpdatePasswordByUUID(database *sql.DB) {
+	if err := utils.ValidatePassword(security.Password); err != nil {
 		panic(&ModelError{
 			Code:    err.(*ValidationError).Code,
 			Message: err.(*ValidationError).Message,
 			Data:    map[string]interface{}{}, // reveal nothing, it's the password (:
 		})
 	}
-	hashedPassword, err := utils.CreatePasswordHash(password)
+	hashedPassword, err := utils.CreatePasswordHash(security.Password)
 	if err != nil {
 		panic(err)
 	}
-	security.updatePasswordByUUID(database, &User{}, hashedPassword, accountUUID)
+	security.HashedPassword = hashedPassword
+	security.updatePasswordByUUID(database)
 }
 
-func (security *Security) updatePasswordByUUID(database *sql.DB, user *User, hashedPassword string, accountUUID string) {
+func (security *Security) updatePasswordByUUID(database *sql.DB) {
 	sqlStmt := "UPDATE security AS s INNER JOIN accounts AS a ON s.account_id = a.id SET s.password = ? WHERE a.uuid = ?"
 	logger.Infof("[security] executing sql '%s'", sqlStmt)
 	stmt, err := database.Prepare(sqlStmt)
 	if err != nil {
 		panic(err)
 	}
-	results, err := stmt.Exec(hashedPassword, accountUUID)
+	results, err := stmt.Exec(security.HashedPassword, security.AccountUUID)
 	if err != nil {
 		panic(err)
 	}
@@ -41,6 +44,7 @@ func (security *Security) updatePasswordByUUID(database *sql.DB, user *User, has
 	if err != nil {
 		panic(err)
 	} else if rowsAffected == 0 {
-		user.GetByUUID(database, accountUUID)
+		user := &User{}
+		user.GetByUUID(database, security.AccountUUID)
 	}
 }