diff --git a/packages/components/model-user/src/graphql.js b/packages/components/model-user/src/graphql.js
index 1983846579d3d3ac70add0829b386ff1bd011974..c7d309c2d1f741f4693c029fac1e39e6bc489042 100644
--- a/packages/components/model-user/src/graphql.js
+++ b/packages/components/model-user/src/graphql.js
@@ -30,7 +30,14 @@ const resolvers = {
     deleteUser(_, { id }, ctx) {
       return ctx.connectors.User.delete(id, ctx)
     },
-    updateUser(_, { id, input }, ctx) {
+    async updateUser(_, { id, input }, ctx) {
+      if (input.password) {
+        input.passwordHash = await ctx.connectors.User.model.hashPassword(
+          input.password,
+        )
+        delete input.password
+      }
+
       return ctx.connectors.User.update(id, input, ctx)
     },
     // Authentication
diff --git a/packages/components/model-user/test/user_graphql_test.js b/packages/components/model-user/test/user_graphql_test.js
new file mode 100644
index 0000000000000000000000000000000000000000..49d79cbb3647ec115260c6c3e973e89abf60a160
--- /dev/null
+++ b/packages/components/model-user/test/user_graphql_test.js
@@ -0,0 +1,83 @@
+process.env.NODE_CONFIG = `{"pubsweet":{
+  "components":[
+    "@pubsweet/model-user",
+    "@pubsweet/model-team"
+  ]
+}}`
+
+const User = require('../src/user')
+const { dbCleaner, api } = require('pubsweet-server/test')
+
+const { fixtures } = require('@pubsweet/model-user/test')
+const authentication = require('pubsweet-server/src/authentication')
+
+describe('User mutations', () => {
+  // let token
+  // let user
+
+  beforeEach(async () => {
+    await dbCleaner()
+    // user = await new User(fixtures.user).save()
+    // token = authentication.token.create(user)
+  })
+
+  it('a user can sign up', async () => {
+    const { body } = await api.graphql.query(
+      `mutation($input: UserInput) {
+        createUser(input: $input) {
+          username
+        }
+      }`,
+      {
+        input: {
+          username: 'hi',
+          email: 'hi@example.com',
+          password: 'hello',
+        },
+      },
+    )
+
+    expect(body).toEqual({
+      data: {
+        createUser: {
+          username: 'hi',
+        },
+      },
+    })
+  })
+
+  it('a user can update a password', async () => {
+    const user = await new User(fixtures.user).save()
+    const token = authentication.token.create(user)
+
+    const { body } = await api.graphql.query(
+      `mutation($id: ID, $input: UserInput) {
+        updateUser(id: $id, input: $input) {
+          username
+        }
+      }`,
+      {
+        id: user.id,
+        input: {
+          username: 'hi',
+          email: 'hi@example.com',
+          password: 'hello2',
+        },
+      },
+      token,
+    )
+
+    expect(body).toEqual({
+      data: {
+        updateUser: {
+          username: 'hi',
+        },
+      },
+    })
+
+    const oldHash = user.passwordHash
+    const newHash = await User.find(user.id).passwordHash
+
+    expect(oldHash).not.toEqual(newHash)
+  })
+})