diff --git a/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts b/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts
index aa02e28b3b3..e8521a72b99 100644
--- a/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts
+++ b/apps/web/src/app/auth/core/services/registration/web-registration-finish.service.spec.ts
@@ -186,7 +186,7 @@ describe("WebRegistrationFinishService", () => {
       emailVerificationToken = "emailVerificationToken";
       masterKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as MasterKey;
       passwordInputResult = {
-        masterKey: masterKey,
+        newMasterKey: masterKey,
         serverMasterKeyHash: "serverMasterKeyHash",
         localMasterKeyHash: "localMasterKeyHash",
         kdfConfig: DEFAULT_KDF_CONFIG,
diff --git a/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts b/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts
index d9716e79d8f..b82a4aa28f1 100644
--- a/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts
+++ b/apps/web/src/app/auth/settings/security/password-settings/password-settings.component.ts
@@ -24,6 +24,7 @@ export class PasswordSettingsComponent implements OnInit {
   ) {}
 
   async ngOnInit() {
+    // TODO-rr-bw: test that no MP = get routed to settings/security/two-factor
     const userHasMasterPassword = await firstValueFrom(
       this.userDecryptionOptionsService.hasMasterPassword$,
     );
diff --git a/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts b/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
index 2377f273531..86064e9ea15 100644
--- a/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
+++ b/libs/auth/src/angular/change-existing-password/change-existing-password.component.ts
@@ -61,7 +61,7 @@ export class ChangeExistingPasswordComponent implements OnInit {
       this.accountService.activeAccount$.pipe(map((a) => a?.email)),
     );
 
-    const userId = await firstValueFrom(this.accountService.activeAccount$.pipe(map((a) => a?.id)));
+    const userId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
 
     this.masterPasswordPolicyOptions = await firstValueFrom(
       this.policyService.masterPasswordPolicyOptions$(userId),
@@ -77,23 +77,21 @@ export class ChangeExistingPasswordComponent implements OnInit {
   }
 
   async submitNew(passwordInputResult: PasswordInputResult) {
+    const { currentPassword, newPassword, hint, rotateUserKey } = passwordInputResult;
+
     try {
-      if (passwordInputResult.rotateUserKey) {
+      if (rotateUserKey) {
         await this.syncService.fullSync(true);
         const user = await firstValueFrom(this.accountService.activeAccount$);
 
         await this.changePasswordService.rotateUserKeyMasterPasswordAndEncryptedData(
-          passwordInputResult.currentPassword,
-          passwordInputResult.newPassword,
+          currentPassword,
+          newPassword,
           user,
-          passwordInputResult.hint,
+          hint,
         );
       } else {
-        await this.updatePassword(
-          passwordInputResult.currentPassword,
-          passwordInputResult.newPassword,
-          passwordInputResult.hint,
-        );
+        await this.updatePassword(currentPassword, newPassword, hint);
       }
     } catch (e) {
       this.toastService.showToast({
@@ -118,7 +116,7 @@ export class ChangeExistingPasswordComponent implements OnInit {
     const userId = await firstValueFrom(getUserId(this.accountService.activeAccount$));
     const newLocalKeyHash = await this.keyService.hashMasterKey(
       passwordInputResult.newPassword,
-      passwordInputResult.masterKey,
+      passwordInputResult.newMasterKey,
       HashPurpose.LocalAuthorization,
     );
 
@@ -147,7 +145,7 @@ export class ChangeExistingPasswordComponent implements OnInit {
           // we need to save this for local masterkey verification during rotation
           await this.masterPasswordService.setMasterKeyHash(newLocalKeyHash, userId as UserId);
           await this.masterPasswordService.setMasterKey(
-            passwordInputResult.masterKey,
+            passwordInputResult.newMasterKey,
             userId as UserId,
           );
           return this.updateKey(passwordInputResult.newPassword);
diff --git a/libs/auth/src/angular/input-password/input-password.component.html b/libs/auth/src/angular/input-password/input-password.component.html
index 39995f9f44f..d5c0578e646 100644
--- a/libs/auth/src/angular/input-password/input-password.component.html
+++ b/libs/auth/src/angular/input-password/input-password.component.html
@@ -90,7 +90,12 @@
   <bit-form-control
     *ngIf="inputPasswordFlow === InputPasswordFlow.ChangePasswordWithOptionalUserKeyRotation"
   >
-    <input type="checkbox" bitCheckbox formControlName="rotateUserKey" />
+    <input
+      type="checkbox"
+      bitCheckbox
+      formControlName="rotateUserKey"
+      (change)="rotateUserKeyClicked()"
+    />
     <bit-label>
       {{ "rotateAccountEncKey" | i18n }}
       <a
diff --git a/libs/auth/src/angular/input-password/input-password.component.ts b/libs/auth/src/angular/input-password/input-password.component.ts
index 00c4c8bf429..f8518edf9c4 100644
--- a/libs/auth/src/angular/input-password/input-password.component.ts
+++ b/libs/auth/src/angular/input-password/input-password.component.ts
@@ -259,17 +259,21 @@ export class InputPasswordComponent implements OnInit {
 
     const kdfConfig = (await this.kdfConfigService.getKdfConfig()) || DEFAULT_KDF_CONFIG; // TODO-rr-bw: confirm this
 
-    const masterKey = await this.keyService.makeMasterKey(
+    const newMasterKey = await this.keyService.makeMasterKey(
       this.newPassword,
       this.email.trim().toLowerCase(),
       kdfConfig,
     );
 
-    const masterKeyHash = await this.keyService.hashMasterKey(this.newPassword, masterKey);
+    const serverMasterKeyHash = await this.keyService.hashMasterKey(
+      this.newPassword,
+      newMasterKey,
+      HashPurpose.ServerAuthorization,
+    );
 
     const localMasterKeyHash = await this.keyService.hashMasterKey(
       this.newPassword,
-      masterKey,
+      newMasterKey,
       HashPurpose.LocalAuthorization,
     );
 
@@ -278,7 +282,7 @@ export class InputPasswordComponent implements OnInit {
       newPassword: this.newPassword,
       hint: this.hint,
       kdfConfig,
-      masterKey,
+      newMasterKey,
       serverMasterKeyHash,
       localMasterKeyHash,
     };
diff --git a/libs/auth/src/angular/input-password/password-input-result.ts b/libs/auth/src/angular/input-password/password-input-result.ts
index 9f29d61e9ca..cc834e30a32 100644
--- a/libs/auth/src/angular/input-password/password-input-result.ts
+++ b/libs/auth/src/angular/input-password/password-input-result.ts
@@ -5,7 +5,7 @@ export interface PasswordInputResult {
   newPassword: string;
   hint: string;
   kdfConfig: KdfConfig;
-  masterKey: MasterKey;
+  newMasterKey: MasterKey;
   serverMasterKeyHash: string;
   localMasterKeyHash: string;
   currentPassword?: string;
diff --git a/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.spec.ts b/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.spec.ts
index c288f30d812..af9dfddb7ab 100644
--- a/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.spec.ts
+++ b/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.spec.ts
@@ -59,7 +59,7 @@ describe("DefaultRegistrationFinishService", () => {
       emailVerificationToken = "emailVerificationToken";
       masterKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as MasterKey;
       passwordInputResult = {
-        masterKey: masterKey,
+        newMasterKey: masterKey,
         serverMasterKeyHash: "serverMasterKeyHash",
         localMasterKeyHash: "localMasterKeyHash",
         kdfConfig: DEFAULT_KDF_CONFIG,
diff --git a/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts b/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts
index 7d844ce8cb0..74bc00e8f1d 100644
--- a/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts
+++ b/libs/auth/src/angular/registration/registration-finish/default-registration-finish.service.ts
@@ -36,7 +36,7 @@ export class DefaultRegistrationFinishService implements RegistrationFinishServi
     providerUserId?: string,
   ): Promise<string> {
     const [newUserKey, newEncUserKey] = await this.keyService.makeUserKey(
-      passwordInputResult.masterKey,
+      passwordInputResult.newMasterKey,
     );
 
     if (!newUserKey || !newEncUserKey) {
diff --git a/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.spec.ts b/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.spec.ts
index 12d4d8a2e39..1a659b2737f 100644
--- a/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.spec.ts
+++ b/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.spec.ts
@@ -111,7 +111,7 @@ describe("DefaultSetPasswordJitService", () => {
       userId = "userId" as UserId;
 
       passwordInputResult = {
-        masterKey: masterKey,
+        newMasterKey: masterKey,
         serverMasterKeyHash: "serverMasterKeyHash",
         localMasterKeyHash: "localMasterKeyHash",
         hint: "hint",
diff --git a/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.ts b/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.ts
index d018efd1112..b756e2ae653 100644
--- a/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.ts
+++ b/libs/auth/src/angular/set-password-jit/default-set-password-jit.service.ts
@@ -43,7 +43,7 @@ export class DefaultSetPasswordJitService implements SetPasswordJitService {
 
   async setPassword(credentials: SetPasswordCredentials): Promise<void> {
     const {
-      masterKey,
+      newMasterKey,
       serverMasterKeyHash,
       localMasterKeyHash,
       hint,
@@ -60,7 +60,7 @@ export class DefaultSetPasswordJitService implements SetPasswordJitService {
       }
     }
 
-    const protectedUserKey = await this.makeProtectedUserKey(masterKey, userId);
+    const protectedUserKey = await this.makeProtectedUserKey(newMasterKey, userId);
     if (protectedUserKey == null) {
       throw new Error("protectedUserKey not found. Could not set password.");
     }
@@ -85,7 +85,7 @@ export class DefaultSetPasswordJitService implements SetPasswordJitService {
     await this.masterPasswordService.setForceSetPasswordReason(ForceSetPasswordReason.None, userId);
 
     // User now has a password so update account decryption options in state
-    await this.updateAccountDecryptionProperties(masterKey, kdfConfig, protectedUserKey, userId);
+    await this.updateAccountDecryptionProperties(newMasterKey, kdfConfig, protectedUserKey, userId);
 
     await this.keyService.setPrivateKey(keyPair[1].encryptedString, userId);
 
diff --git a/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts b/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts
index 2cc1d57e61a..8a17bb4007b 100644
--- a/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts
+++ b/libs/auth/src/angular/set-password-jit/set-password-jit.service.abstraction.ts
@@ -5,7 +5,7 @@ import { MasterKey } from "@bitwarden/common/types/key";
 import { KdfConfig } from "@bitwarden/key-management";
 
 export interface SetPasswordCredentials {
-  masterKey: MasterKey;
+  newMasterKey: MasterKey;
   serverMasterKeyHash: string;
   localMasterKeyHash: string;
   kdfConfig: KdfConfig;