diff --git a/app/blueprints/admin/admin.py b/app/blueprints/admin/admin.py
index f1104a8..acfc771 100644
--- a/app/blueprints/admin/admin.py
+++ b/app/blueprints/admin/admin.py
@@ -177,7 +177,7 @@ class SwitchUserForm(FlaskForm):
 @rank_required(UserRank.ADMIN)
 def switch_user():
 	form = SwitchUserForm(formdata=request.form)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		user = User.query.filter_by(username=form["username"].data).first()
 		if user is None:
 			flash("Unable to find user", "danger")
diff --git a/app/blueprints/admin/licenseseditor.py b/app/blueprints/admin/licenseseditor.py
index 764aff6..2176343 100644
--- a/app/blueprints/admin/licenseseditor.py
+++ b/app/blueprints/admin/licenseseditor.py
@@ -48,7 +48,7 @@ def create_edit_license(name=None):
 	form = LicenseForm(formdata=request.form, obj=license)
 	if request.method == "GET" and license is None:
 		form.is_foss.data = True
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		if license is None:
 			license = License(form.name.data)
 			db.session.add(license)
diff --git a/app/blueprints/admin/tagseditor.py b/app/blueprints/admin/tagseditor.py
index 0aa6776..8d54bfc 100644
--- a/app/blueprints/admin/tagseditor.py
+++ b/app/blueprints/admin/tagseditor.py
@@ -60,7 +60,7 @@ def create_edit_tag(name=None):
 		abort(403)
 
 	form = TagForm(formdata=request.form, obj=tag)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if tag is None:
 			tag = Tag(form.title.data)
 			tag.description = form.description.data
diff --git a/app/blueprints/admin/versioneditor.py b/app/blueprints/admin/versioneditor.py
index 8bbbacb..902e021 100644
--- a/app/blueprints/admin/versioneditor.py
+++ b/app/blueprints/admin/versioneditor.py
@@ -46,7 +46,7 @@ def create_edit_version(name=None):
 			abort(404)
 
 	form = VersionForm(formdata=request.form, obj=version)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if version is None:
 			version = MinetestRelease(form.name.data)
 			db.session.add(version)
diff --git a/app/blueprints/admin/warningseditor.py b/app/blueprints/admin/warningseditor.py
index 673127e..3ac2ed3 100644
--- a/app/blueprints/admin/warningseditor.py
+++ b/app/blueprints/admin/warningseditor.py
@@ -47,7 +47,7 @@ def create_edit_warning(name=None):
 			abort(404)
 
 	form = WarningForm(formdata=request.form, obj=warning)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if warning is None:
 			warning = ContentWarning(form.title.data, form.description.data)
 			db.session.add(warning)
diff --git a/app/blueprints/api/tokens.py b/app/blueprints/api/tokens.py
index ef145ea..4999374 100644
--- a/app/blueprints/api/tokens.py
+++ b/app/blueprints/api/tokens.py
@@ -80,7 +80,7 @@ def create_edit_token(username, id=None):
 	form = CreateAPIToken(formdata=request.form, obj=token)
 	form.package.query_factory = lambda: Package.query.filter_by(author=user).all()
 
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if is_new:
 			token = APIToken()
 			token.owner = user
diff --git a/app/blueprints/github/__init__.py b/app/blueprints/github/__init__.py
index 60b1ef7..376fb21 100644
--- a/app/blueprints/github/__init__.py
+++ b/app/blueprints/github/__init__.py
@@ -191,7 +191,7 @@ def setup_webhook():
 				redirect_uri=abs_url_for("github.callback_webhook", pid=pid))
 
 	form = SetupWebhookForm(formdata=request.form)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		token = APIToken()
 		token.name = "GitHub Webhook for " + package.title
 		token.owner = current_user
diff --git a/app/blueprints/packages/packages.py b/app/blueprints/packages/packages.py
index 44a6512..51a5b3c 100644
--- a/app/blueprints/packages/packages.py
+++ b/app/blueprints/packages/packages.py
@@ -286,7 +286,7 @@ def create_edit(author=None, name=None):
 	if request.method == "POST" and form.type.data == PackageType.TXP:
 		form.license.data = form.media_license.data
 
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		wasNew = False
 		if not package:
 			package = Package.query.filter_by(name=form["name"].data, author_id=author.id).first()
@@ -468,7 +468,7 @@ def edit_maintainers(package):
 	if request.method == "GET":
 		form.maintainers_str.data = ", ".join([ x.username for x in package.maintainers if x != package.author ])
 
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		usernames = [x.strip().lower() for x in form.maintainers_str.data.split(",")]
 		users = User.query.filter(func.lower(User.username).in_(usernames)).all()
 
diff --git a/app/blueprints/packages/releases.py b/app/blueprints/packages/releases.py
index 68635d1..594196e 100644
--- a/app/blueprints/packages/releases.py
+++ b/app/blueprints/packages/releases.py
@@ -75,7 +75,7 @@ def create_release(package):
 		if request.method != "POST":
 			form["uploadOpt"].data = "vcs"
 
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if form["uploadOpt"].data == "vcs":
 			rel = PackageRelease()
 			rel.package = package
@@ -169,7 +169,7 @@ def edit_release(package, id):
 		# HACK: fix bug in wtforms
 		form.approved.data = release.approved
 
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		wasApproved = release.approved
 		if canEdit:
 			release.title = form["title"].data
@@ -217,7 +217,7 @@ def bulk_change_release(package):
 
 	if request.method == "GET":
 		form.only_change_none.data = True
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		only_change_none = form.only_change_none.data
 
 		for release in package.releases.all():
diff --git a/app/blueprints/packages/reviews.py b/app/blueprints/packages/reviews.py
index 9fe8bc0..04bcf41 100644
--- a/app/blueprints/packages/reviews.py
+++ b/app/blueprints/packages/reviews.py
@@ -59,7 +59,7 @@ def review(package):
 		form.comment.data = review.thread.replies[0].comment
 
 	# Validate and submit
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		was_new = False
 		if not review:
 			was_new = True
diff --git a/app/blueprints/packages/screenshots.py b/app/blueprints/packages/screenshots.py
index c177307..fa7d205 100644
--- a/app/blueprints/packages/screenshots.py
+++ b/app/blueprints/packages/screenshots.py
@@ -46,7 +46,7 @@ def create_screenshot(package):
 
 	# Initial form class from post data and default data
 	form = CreateScreenshotForm()
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		uploadedUrl, uploadedPath = doFileUpload(form.fileUpload.data, "image",
 				"a PNG or JPG image file")
 		if uploadedUrl is not None:
@@ -85,7 +85,7 @@ def edit_screenshot(package, id):
 		# HACK: fix bug in wtforms
 		form.approved.data = screenshot.approved
 
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		if canEdit and form["delete"].data:
 			PackageScreenshot.query.filter_by(id=id).delete()
 
diff --git a/app/blueprints/threads/__init__.py b/app/blueprints/threads/__init__.py
index bf38718..9233fa4 100644
--- a/app/blueprints/threads/__init__.py
+++ b/app/blueprints/threads/__init__.py
@@ -163,7 +163,7 @@ def edit_reply(id):
 		abort(403)
 
 	form = CommentForm(formdata=request.form, obj=reply)
-	if request.method == "POST" and form.validate():
+	if form.validate_on_submit():
 		comment = form.comment.data
 
 		msg = "Edited reply by {}".format(reply.author.display_name)
@@ -271,7 +271,7 @@ def new():
 		form.title.data   = request.args.get("title") or ""
 
 	# Validate and submit
-	elif request.method == "POST" and form.validate():
+	elif form.validate_on_submit():
 		thread = Thread()
 		thread.author  = current_user
 		thread.title   = form.title.data
diff --git a/app/blueprints/users/account.py b/app/blueprints/users/account.py
index 6434e97..e36c4a4 100644
--- a/app/blueprints/users/account.py
+++ b/app/blueprints/users/account.py
@@ -68,6 +68,13 @@ def handle_login(form):
 
 @bp.route("/user/login/", methods=["GET", "POST"])
 def login():
+	if current_user.is_authenticated:
+		next = request.args.get("next")
+		if next and not is_safe_url(next):
+			abort(400)
+
+		return redirect(next or url_for("homepage.home"))
+
 	form = LoginForm(request.form)
 	if form.validate_on_submit():
 		ret = handle_login(form)
@@ -134,10 +141,61 @@ class SetPasswordForm(FlaskForm):
 	password2 = PasswordField("Verify password", [InputRequired(), Length(8, 100)])
 	submit = SubmitField("Save")
 
+class ChangePasswordForm(FlaskForm):
+	old_password = PasswordField("Old password", [InputRequired(), Length(8, 100)])
+	password = PasswordField("New password", [InputRequired(), Length(8, 100)])
+	password2 = PasswordField("Verify password", [InputRequired(), Length(8, 100)])
+	submit = SubmitField("Save")
+
+
+def handle_set_password(form):
+	one = form.password.data
+	two = form.password2.data
+	if one != two:
+		flash("Passwords do not much", "danger")
+		return
+
+	current_user.password = make_flask_login_password(form.password.data)
+	db.session.commit()
+
+	flash("Your password has been changed successfully.", "success")
+
+	if hasattr(form, "email"):
+		newEmail = form.email.data
+		if newEmail != current_user.email and newEmail.strip() != "":
+			token = randomString(32)
+
+			ver = UserEmailVerification()
+			ver.user = current_user
+			ver.token = token
+			ver.email = newEmail
+			db.session.add(ver)
+			db.session.commit()
+
+			task = sendVerifyEmail.delay(newEmail, token)
+			return redirect(
+					url_for("tasks.check", id=task.id, r=url_for("users.profile", username=current_user.username)))
+
+	return redirect(url_for("homepage.home"))
+
+
 @bp.route("/user/change-password/", methods=["GET", "POST"])
 @login_required
 def change_password():
-	return "change"
+	form = ChangePasswordForm(request.form)
+
+	if current_user.email is None:
+		form.email.validators = [InputRequired(), Email()]
+
+	if form.validate_on_submit():
+		if check_password_hash(current_user.password, form.old_password.data):
+			ret = handle_set_password(form)
+			if ret:
+				return ret
+		else:
+			flash("Old password is incorrect", "danger")
+
+	return render_template("users/change_set_password.html", form=form)
 
 
 @bp.route("/user/set-password/", methods=["GET", "POST"])
@@ -150,39 +208,12 @@ def set_password():
 	if current_user.email is None:
 		form.email.validators = [InputRequired(), Email()]
 
-	if request.method == "POST" and form.validate():
-		one = form.password.data
-		two = form.password2.data
-		if one == two:
-			# Hash password
-			hashed_password = make_flask_login_password(form.password.data)
+	if form.validate_on_submit():
+		ret = handle_set_password(form)
+		if ret:
+			return ret
 
-			# Change password
-			current_user.password = hashed_password
-			db.session.commit()
-
-			# Prepare one-time system message
-			flash('Your password has been changed successfully.', 'success')
-
-			newEmail = form["email"].data
-			if newEmail != current_user.email and newEmail.strip() != "":
-				token = randomString(32)
-
-				ver = UserEmailVerification()
-				ver.user = current_user
-				ver.token = token
-				ver.email = newEmail
-				db.session.add(ver)
-				db.session.commit()
-
-				task = sendVerifyEmail.delay(newEmail, token)
-				return redirect(url_for("tasks.check", id=task.id, r=url_for("users.profile", username=current_user.username)))
-			else:
-				return redirect(url_for("users.login"))
-		else:
-			flash("Passwords do not match", "danger")
-
-	return render_template("users/set_password.html", form=form, optional=request.args.get("optional"))
+	return render_template("users/change_set_password.html", form=form, optional=request.args.get("optional"))
 
 
 @bp.route("/user/verify/")
diff --git a/app/blueprints/users/profile.py b/app/blueprints/users/profile.py
index df4100c..463ce5b 100644
--- a/app/blueprints/users/profile.py
+++ b/app/blueprints/users/profile.py
@@ -93,7 +93,7 @@ def profile(username):
 
 			if user.checkPerm(current_user, Permission.CHANGE_EMAIL):
 				newEmail = form["email"].data
-				if newEmail != user.email and newEmail.strip() != "":
+				if newEmail and newEmail != user.email and newEmail.strip() != "":
 					token = randomString(32)
 
 					msg = "Changed email of {}".format(user.display_name)
diff --git a/app/templates/users/set_password.html b/app/templates/users/change_set_password.html
similarity index 81%
rename from app/templates/users/set_password.html
rename to app/templates/users/change_set_password.html
index 2d52021..89d22a6 100644
--- a/app/templates/users/set_password.html
+++ b/app/templates/users/change_set_password.html
@@ -21,8 +21,8 @@
 <form action="" method="POST" class="form" role="form">
 	{{ form.hidden_tag() }}
 
-	{% if not current_user.email %}
-		{{ render_field(form.email, tabindex=230) }}
+	{% if form.email and not current_user.email %}
+		{{ render_field(form.email, tabindex=220) }}
 
 		<p>
 			Your email is needed to recover your account if you forget your
@@ -31,6 +31,10 @@
 		</p>
 	{% endif %}
 
+	{% if form.old_password %}
+		{{ render_field(form.old_password, tabindex=230) }}
+	{% endif %}
+
 	{{ render_field(form.password, tabindex=230) }}
 	{{ render_field(form.password2, tabindex=240) }}