diff --git a/app/services/user.js b/app/services/user.js
index 3b61e0c..880b08e 100644
--- a/app/services/user.js
+++ b/app/services/user.js
@@ -261,26 +261,38 @@ class UserService extends SiteService {
   }
 
   async updateSettings (user, userDefinition) {
+    const { crypto: cryptoService } = this.dtp.services;
+
+    const updateOp = { $set: { }, $unset: { } };
+
     // strip characters we don't want to allow in username
-    userDefinition.username = striptags(userDefinition.username.trim().replace(/[^A-Za-z0-9\-_]/gi, ''));
-    const username_lc = userDefinition.username.toLowerCase();
+    updateOp.$set.username = striptags(userDefinition.username.trim().replace(/[^A-Za-z0-9\-_]/gi, ''));
+    if (!updateOp.$set.username || (updateOp.$set.username.length === 0)) {
+      throw new SiteError(400, 'Must include a username');
+    }
+    updateOp.$set.username_lc = updateOp.$set.username.toLowerCase();
 
-    userDefinition.displayName = striptags(userDefinition.displayName.trim());
-    userDefinition.bio = striptags(userDefinition.bio.trim());
+    if (userDefinition.displayName && (userDefinition.displayName.length > 0)) {
+      updateOp.$set.displayName = striptags(userDefinition.displayName.trim());
+    } else {
+      updateOp.$unset.displayName = 1;
+    }
 
-    this.log.info('updating user settings', { userDefinition });
-    await User.updateOne(
-      { _id: user._id },
-      {
-        $set: {
-          username: userDefinition.username,
-          username_lc,
-          displayName: userDefinition.displayName,
-          bio: userDefinition.bio,
-          theme: userDefinition.theme || 'dtp-light',
-        },
-      },
-    );
+    if (userDefinition.bio && (userDefinition.bio.length > 0)) {
+      updateOp.$set.bio = striptags(userDefinition.bio.trim());
+    } else {
+      updateOp.$unset.bio = 1;
+    }
+
+    if (userDefinition.password && userDefinition.password.length > 0) {
+      updateOp.$set.passwordSalt = uuidv4();
+      updateOp.$set.password = cryptoService.maskPassword(updateOp.$set.passwordSalt, userDefinition.password);
+    }
+
+    updateOp.$set.theme = userDefinition.theme || 'dtp-light',
+
+    this.log.info('updating user settings', { userId: user._id });
+    await User.updateOne({ _id: user._id }, updateOp);
   }
 
   async authenticate (account, options) {