diff --git a/src/routes/test/profile-test.js b/src/routes/test/profile-test.js
index 9c124a055..f36e89c9b 100644
--- a/src/routes/test/profile-test.js
+++ b/src/routes/test/profile-test.js
@@ -248,7 +248,7 @@ describe('Profile API', function () {
                 .query({ access_token: token_0 })
                 .send({ password: 'some wrong password', newPassword: 'MOre#$%34' })
                 .end(function (err, res) {
-                    expect(res.statusCode).to.equal(403);
+                    expect(res.statusCode).to.equal(400);
                     done();
                 });
         });
diff --git a/src/routes/users.js b/src/routes/users.js
index 3faba52aa..619f829d3 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -132,7 +132,7 @@ function verifyPassword(req, res, next) {
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
 
     users.verifyWithUsername(req.user.username, req.body.password, function (error) {
-        if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect')); // not 401 intentionally since the UI redirects for 401
+        if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(400, 'Password incorrect'));
         if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'No such user'));
         if (error) return next(new HttpError(500, error));