diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index 181cc19ac..410dd41cb 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -19,6 +19,12 @@ class Epp::SessionsController < EppController
     end
 
     if @api_user.try(:active) && cert_valid
+      if parsed_frame.css('newPW').first
+        unless @api_user.update(password: parsed_frame.css('newPW').first.text)
+          handle_errors(@api_user) and return
+        end
+      end
+
       epp_session[:api_user_id] = @api_user.id
       render_epp_response('login_success')
     else
@@ -42,4 +48,8 @@ class Epp::SessionsController < EppController
     ph = params_hash['epp']['command']['login']
     { username: ph[:clID], password: ph[:pw] }
   end
+
+  def parsed_frame
+    @parsed_frame ||= Nokogiri::XML(request.params[:raw_frame]).remove_namespaces!
+  end
 end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index d95ce8414..5e4b6ab00 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -2,6 +2,15 @@ require 'open3'
 
 # rubocop: disable Metrics/ClassLength
 class ApiUser < User
+  include EppErrors
+  def epp_code_map # rubocop:disable Metrics/MethodLength
+    {
+      '2306' => [ # Parameter policy error
+        [:password, :blank]
+      ]
+    }
+  end
+
   # TODO: should have max request limit per day
   belongs_to :registrar
   has_many :contacts
diff --git a/app/views/registrar/sessions/login_mid.haml b/app/views/registrar/sessions/login_mid.haml
index 75bf240e8..ccbb05179 100644
--- a/app/views/registrar/sessions/login_mid.haml
+++ b/app/views/registrar/sessions/login_mid.haml
@@ -9,6 +9,10 @@
     = f.text_field :phone, class: 'form-control', placeholder: t('phone_no'), autocomplete: 'off'
     %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t('log_in')
 
+- if ['development', 'alpha'].include?(Rails.env)
+  %div.text-center
+    60000007 / 00000766
+
 :coffee
   $('.js-login').attr('disabled', false)
 
diff --git a/spec/epp/session_spec.rb b/spec/epp/session_spec.rb
index e0e8afae9..8fd1b2c67 100644
--- a/spec/epp/session_spec.rb
+++ b/spec/epp/session_spec.rb
@@ -85,6 +85,36 @@ describe 'EPP Session', epp: true do
 
         EppSession.last[:api_user_id].should == nil
       end
+
+      it 'changes password and logs in' do
+        @api_user.update(password: 'ghyt9e4fu')
+        response = epp_plain_request(@epp_xml.session.login(
+          clID: { value: 'gitlab' },
+          pw: { value: 'ghyt9e4fu' },
+          newPW: { value: 'abcdefg' }
+        ), :xml)
+
+        response[:msg].should == 'Command completed successfully'
+        response[:result_code].should == '1000'
+
+        @api_user.reload
+        @api_user.password.should == 'abcdefg'
+      end
+
+      it 'fails if new password is not valid' do
+        @api_user.update(password: 'ghyt9e4fu')
+        response = epp_plain_request(@epp_xml.session.login(
+          clID: { value: 'gitlab' },
+          pw: { value: 'ghyt9e4fu' },
+          newPW: { value: '' }
+        ), :xml)
+
+        response[:msg].should == 'Password is missing [password]'
+        response[:result_code].should == '2306'
+
+        @api_user.reload
+        @api_user.password.should == 'ghyt9e4fu'
+      end
     end
   end
 end