diff --git a/lib/routes/api/users.js b/lib/routes/api/users.js
index 665594b..dc37bcd 100644
--- a/lib/routes/api/users.js
+++ b/lib/routes/api/users.js
@@ -285,6 +285,11 @@ router.put('/:user_sid', async(req, res) => {
         //debug(`PUT /Users/:sid pwd ${old_password} does not match hash ${old_hashed_password}`);
         return res.sendStatus(403);
       }
+
+      if (old_password === new_password) {
+        throw new Error('new password cannot be your old password');
+      }
+
       const passwordHash = await generateHashedPassword(new_password);
       //debug(`updating hashed_password to ${passwordHash}`);
       const r = await promisePool.execute(updateSql, [passwordHash, user_sid]);