diff --git a/src/sql.rs b/src/sql.rs
index d7203e56f77c574213730ee59220624405f09758..4781c09f5dd1d152cea4cd7962ca89a2f52069eb 100644
--- a/src/sql.rs
+++ b/src/sql.rs
@@ -530,7 +530,11 @@ fn check_password_min_length(
     }
 
     let storage = &node.storage;
-    let password_min_length = storage.properties.password_min_length()?;
+
+    // This check is called from user facing API.
+    // A user is not expected to have access to _pico_property
+    let password_min_length =
+        session::with_su(ADMIN_ID, || storage.properties.password_min_length())??;
     if password.len() < password_min_length {
         return Err(Error::Other(
             format!(
diff --git a/test/conftest.py b/test/conftest.py
index fb1c2836f78347960581e0aa05fde162921425a6..2b9132ae7588b3047e62ca7d70b3d93ad17f781c 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -463,6 +463,13 @@ class Connection(tarantool.Connection):  # type: ignore
         self.eval("box.session.su(...)", old_euid)
         return ret
 
+    def create_user(self, name: str, password: str):
+        self.sql(
+            f"""
+            CREATE USER "{name}" WITH PASSWORD '{password}' USING chap-sha1
+            """
+        )
+
 
 @dataclass
 class Instance:
@@ -630,6 +637,17 @@ class Instance:
         with self.connect(timeout, user=user, password=password) as conn:
             return conn.sudo_sql(sql, params)
 
+    def create_user(
+        self,
+        with_name: str,
+        with_password: str,
+        user: str | None = None,
+        password: str | None = None,
+        timeout: int | float = 1,
+    ):
+        with self.connect(timeout, user=user, password=password) as conn:
+            conn.create_user(name=with_name, password=with_password)
+
     def terminate(self, kill_after_seconds=10) -> int | None:
         """Terminate the instance gracefully with SIGTERM"""
         if self.process is None:
diff --git a/test/int/test_sql.py b/test/int/test_sql.py
index 528192325c636df74ba753279c3cf328ded4f212..e3bfb62a68179b74b4c367cd52f79c1f526109c4 100644
--- a/test/int/test_sql.py
+++ b/test/int/test_sql.py
@@ -1452,3 +1452,22 @@ def test_sql_privileges(cluster: Cluster):
     assert dml["row_count"] == 2
     dml = i1.sql(f""" delete from "{table_name}" """, user=username, password=alice_pwd)
     assert dml["row_count"] == 2
+
+
+def test_user_changes_password(cluster: Cluster):
+    i1, *_ = cluster.deploy(instance_count=1)
+    user_name = "U"
+    old_password = "12341234"
+    new_password = "11111111"
+
+    i1.create_user(with_name=user_name, with_password=old_password)
+
+    i1.sql(
+        f"""
+        ALTER USER "{user_name}" PASSWORD '{new_password}'
+        """,
+        user=user_name,
+        password=old_password,
+    )
+    # ensure we can authenticate with new password
+    i1.sql("SELECT * FROM (VALUES (1))", user=user_name, password=new_password)