diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
index 0fc360d0ab..11e8e5903c 100644
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@@ -350,15 +350,11 @@ class UserV3(controller.V3Controller):
 
         domain_scope = self._get_domain_id_for_request(context)
         try:
-            self.identity_api.authenticate(user_id=user_id,
-                                           password=original_password,
-                                           domain_scope=domain_scope)
+            self.identity_api.change_password(user_id, original_password,
+                                              password, domain_scope)
         except AssertionError:
             raise exception.Unauthorized()
 
-        update_dict = {'password': password}
-        self._update_user(context, user_id, update_dict, domain_scope)
-
 
 @dependency.requires('identity_api')
 class GroupV3(controller.V3Controller):
diff --git a/keystone/identity/core.py b/keystone/identity/core.py
index 481f3b0415..6d20a479a3 100644
--- a/keystone/identity/core.py
+++ b/keystone/identity/core.py
@@ -461,6 +461,17 @@ class Manager(manager.Manager):
         domain_id, driver = self._get_domain_id_and_driver(domain_scope)
         return driver.check_user_in_group(user_id, group_id)
 
+    @domains_configured
+    def change_password(self, user_id, original_password, new_password,
+                        domain_scope):
+
+        # authenticate() will raise an AssertionError if authentication fails
+        self.authenticate(user_id, original_password,
+                          domain_scope=domain_scope)
+
+        update_dict = {'password': new_password}
+        self.update_user(user_id, update_dict, domain_scope=domain_scope)
+
     # TODO(morganfainberg): Remove the following deprecated methods once
     # Icehouse is released.  Maintain identity -> assignment proxy for 1
     # release.