diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 926e3c678d4ca43954f3774c1ee5f27775240964..5c97877e7308959fd8fd83ced72a4150eaf1c1cb 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -215,9 +215,19 @@ class PublicKeyTokenProvider implements IProvider {
 	}
 
 	public function setPassword(IToken $token, string $tokenId, string $password) {
-		// Kill all temp tokens except the current token
+		if (!($token instanceof PublicKeyToken)) {
+			throw new InvalidTokenException();
+		}
+
+		// Update the password for all tokens
+		$tokens = $this->mapper->getTokenByUser($token->getUID());
+		foreach ($tokens as $t) {
+			$publicKey = $token->getPublicKey();
+			$t->setPassword($this->encryptPassword($password, $publicKey));
+			$this->updateToken($t);
+		}
 
-		// Update pass for all permanent tokens by rencrypting
+		//TODO: should we also do this for temp tokens?
 	}
 
 	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
diff --git a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
index 95b5b9285590cb0ada62de6998b041f533fef69c..58e152457fc108380b048007d2e88d962d36e651 100644
--- a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
+++ b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
@@ -132,13 +132,12 @@ class DefaultTokenProviderTest extends TestCase {
 	}
 	
 	public function testGetTokenByUser() {
-		$user = $this->createMock(IUser::class);
 		$this->mapper->expects($this->once())
 			->method('getTokenByUser')
-			->with($user)
+			->with('uid')
 			->will($this->returnValue(['token']));
 
-		$this->assertEquals(['token'], $this->tokenProvider->getTokenByUser($user));
+		$this->assertEquals(['token'], $this->tokenProvider->getTokenByUser('uid'));
 	}
 
 	public function testGetPassword() {
@@ -243,13 +242,12 @@ class DefaultTokenProviderTest extends TestCase {
 
 	public function testInvaildateTokenById() {
 		$id = 123;
-		$user = $this->createMock(IUser::class);
 
 		$this->mapper->expects($this->once())
 			->method('deleteById')
-			->with($user, $id);
+			->with('uid', $id);
 
-		$this->tokenProvider->invalidateTokenById($user, $id);
+		$this->tokenProvider->invalidateTokenById('uid', $id);
 	}
 
 	public function testInvalidateOldTokens() {
diff --git a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
index 4901001db999310de4465c30f348964dd898cea6..d5cfe5d1ee60be25965f94e81cd18e5959e27e2a 100644
--- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
+++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
@@ -121,13 +121,12 @@ class PublicKeyTokenProviderTest extends TestCase {
 	}
 
 	public function testGetTokenByUser() {
-		$user = $this->createMock(IUser::class);
 		$this->mapper->expects($this->once())
 			->method('getTokenByUser')
-			->with($user)
+			->with('uid')
 			->will($this->returnValue(['token']));
 
-		$this->assertEquals(['token'], $this->tokenProvider->getTokenByUser($user));
+		$this->assertEquals(['token'], $this->tokenProvider->getTokenByUser('uid'));
 	}
 
 	public function testGetPassword() {
@@ -189,7 +188,18 @@ class PublicKeyTokenProviderTest extends TestCase {
 
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
+		$this->mapper->method('getTokenByUser')
+			->with('user')
+			->willReturn([$actual]);
+
 		$newpass = 'newpass';
+		$this->mapper->expects($this->once())
+			->method('update')
+			->with($this->callback(function ($token) use ($newpass) {
+				return $newpass === $this->tokenProvider->getPassword($token, 'token');
+			}));
+
+
 		$this->tokenProvider->setPassword($actual, $token, $newpass);
 
 		$this->assertSame($newpass, $this->tokenProvider->getPassword($actual, 'token'));
@@ -216,13 +226,12 @@ class PublicKeyTokenProviderTest extends TestCase {
 
 	public function testInvaildateTokenById() {
 		$id = 123;
-		$user = $this->createMock(IUser::class);
 
 		$this->mapper->expects($this->once())
 			->method('deleteById')
-			->with($user, $id);
+			->with('uid', $id);
 
-		$this->tokenProvider->invalidateTokenById($user, $id);
+		$this->tokenProvider->invalidateTokenById('uid', $id);
 	}
 
 	public function testInvalidateOldTokens() {