diff --git a/includes/core/load.js.php b/includes/core/load.js.php
index 64e4ec38c..112638609 100755
--- a/includes/core/load.js.php
+++ b/includes/core/load.js.php
@@ -596,7 +596,7 @@ function(data) {
                     '</div>' +
                     '<div class="hidden" id="new-encryption-div">' +
                      
-                        '<div class="row'+((store.get('teampassUser').auth_type !== 'ldap' && store.get('teampassUser').auth_type !== 'oauth2') ? '' : ' hidden') + '">' +
+                        '<div class="row' + ((store.get('teampassUser').auth_type !== 'oauth2') ? '' : ' hidden') + '">' +
                             '<div class="input-group mb-2">' +
                                 '<div class="input-group-prepend">' +
                                     '<span class="input-group-text"><?php echo $lang->get('confirm_password'); ?></span>' +
@@ -660,8 +660,6 @@ function(data) {
                     if ($('#recovery-public-key').val() !== '' && $('#recovery-private-key').val() !== '') {
                         $('#confirm-no-recovery-keys-div').removeClass('alert-danger');
                         $('#confirm-no-recovery-keys').prop('checked', false);
-                    } else {
-                        
                     }
                 });
 
@@ -691,10 +689,14 @@ function(data) {
                                 .html('<i class="fa-solid fa-spinner fa-spin"></i>');
                             $('#warningModalButtonClose').addClass('disabled');
 
+                            const user_pwd = store.get('teampassUser').auth_type !== 'oauth2'
+                                    ? $('#encryption-otp').val() // User password (local or ldap)
+                                    : hashUserId(store.get('userOauth2Info').sub); // Oauth
+
                             // update the process
                             // add all tasks
                             var parameters = {
-                                'user_pwd': $('#encryption-otp').val(),
+                                'user_pwd': user_pwd,
                                 'encryption_key': '',
                                 'delete_existing_keys': true,
                                 'encrypt_with_user_pwd': true,
@@ -1386,7 +1388,15 @@ function(teampassUser) {
     * NEW LDAP USER HAS TO BUILD THE ITEMS DATABASE
      */
     $(document).on('click', '#dialog-ldap-user-build-keys-database-do', function() {
-        if ($('#dialog-ldap-user-build-keys-database-code').val() === '') {
+
+        // Add OAuth password in hidden field.
+        if (store.get('teampassUser').auth_type === 'oauth2') {
+            $('#dialog-ldap-user-build-keys-database-userpassword')
+                .val(hashUserId(store.get('userOauth2Info').sub));
+        }
+
+        if ($('#dialog-ldap-user-build-keys-database-code').val() === ''
+            || $('#dialog-ldap-user-build-keys-database-userpassword').val() === '') {
 
             return false;
         }
@@ -1444,7 +1454,7 @@ function(data) {
                     data = {
                         'user_id': store.get('teampassUser').user_id,
                         'current_code': $('#dialog-ldap-user-build-keys-database-code').val(),
-                        'new_code': '',
+                        'new_code': $('#dialog-ldap-user-build-keys-database-userpassword').val(),
                         'action_type' : '',
                     }
                     if (debugJavascript === true) console.log(data);
@@ -2115,4 +2125,10 @@ function applyTheme(switch_theme) {
         // Store new theme value
         $.cookie('teampass_theme', mode, { expires: 365, secure: true});
     }
+
+    // manage cryto ID
+    function hashUserId(userId) {
+        const hash = CryptoJS.SHA256(userId);
+        return hash.toString(CryptoJS.enc.Hex).substring(0, 16);
+    }
 </script>
diff --git a/includes/core/login.js.php b/includes/core/login.js.php
index 30b667b6f..fd96530ac 100755
--- a/includes/core/login.js.php
+++ b/includes/core/login.js.php
@@ -84,13 +84,11 @@ function(teampassUser) {
             // get the Teampass login from userPrincipalName
             userOauth2Info['login'] = userOauth2Info['userPrincipalName'].split("@")[0];
 
-            // manage cryto ID
-            function hashUserId(userId) {
-                const hash = CryptoJS.SHA256(userId);
-                return hash.toString(CryptoJS.enc.Hex).substring(0, 16);
-            }
+            // ID exists only with azure. Use the sub with generic oauth provider.
+            const user_id = userOauth2Info['id'] ?? userOauth2Info['sub'];
+
             $("#login").val(userOauth2Info['login']);
-            $("#pw").val(hashUserId(userOauth2Info['id']));
+            $("#pw").val(hashUserId(user_id));
             
             // store userOauth2Info   
             store.set(
diff --git a/index.php b/index.php
index cb6f22b0d..c024508ba 100755
--- a/index.php
+++ b/index.php
@@ -941,6 +941,13 @@
                                         <span class="input-group-text"><?php echo $lang->get('temporary_encryption_code'); ?></span>
                                     </div>
                                     <input type="password" class="form-control" id="dialog-ldap-user-build-keys-database-code">
+                                    <br/>
+                                </div>
+                                <div class="input-group mb-3<?php if ($session_auth_type === 'oauth2') echo ' hidden'; ?>">
+                                    <div class="input-group-prepend">
+                                        <span class="input-group-text"><?php echo $lang->get('provide_your_current_password'); ?></span>
+                                    </div>
+                                    <input type="password" class="form-control" id="dialog-ldap-user-build-keys-database-userpassword">
                                 </div>
                                 
                                 <div class="form-control mt-3 font-weight-light grey" id="dialog-ldap-user-build-keys-database-progress">
diff --git a/pages/users.js.php b/pages/users.js.php
index 1c57346c4..3d32dcfaf 100755
--- a/pages/users.js.php
+++ b/pages/users.js.php
@@ -491,64 +491,6 @@ function(data) {
         );
     });
 
-
-    function userTasksCreation(userId, userPassword, userTemporaryCode)
-    {
-        var data = {
-            user_id: userId,
-            user_pwd: userPassword,
-            user_code: userTemporaryCode,
-        }
-
-        // Do query
-        $.post(
-            "sources/users.queries.php", {
-                type: "create_new_user_tasks",
-                data: prepareExchangedData(JSON.stringify(data), 'encode', '<?php echo $session->get('key'); ?>'),
-                key: '<?php echo $session->get('key'); ?>'
-            },
-            function(data) {
-                data = prepareExchangedData(data, "decode", "<?php echo $session->get('key'); ?>");
-                if (debugJavascript === true)  {
-                    console.info("Réception des données :")
-                    console.log(data);
-                }
-                
-                if (data.error === true) {
-                    // error
-                    toastr.remove();
-                    toastr.error(
-                        data.message,
-                        '<?php echo $lang->get('caution'); ?>', {
-                            timeOut: 5000,
-                            progressBar: true
-                        }
-                    );
-
-                    dfd.reject();
-                } else {
-                    // show message to user
-                    $('#warningModal').modal('hide');
-
-                    // Inform user
-                    toastr.success(
-                        '<?php echo $lang->get('done'); ?>',
-                        '', {
-                            timeOut: 2000
-                        }
-                    );
-
-                    // Reload list of users
-                    oTable.ajax.reload();
-
-                    // Prepare UI
-                    $('#row-list, #group-create-special-folder, #group-delete-user').removeClass('hidden');
-                    $('#row-form').addClass('hidden');
-                }
-            }
-        );
-    }
-
     /**
      * 
      */
diff --git a/sources/identify.php b/sources/identify.php
index 00d41cee7..e2e2b4dec 100755
--- a/sources/identify.php
+++ b/sources/identify.php
@@ -520,7 +520,6 @@ function identifyUser(string $sentData, array $SETTINGS): bool
         $session->set('user-name', empty($userInfo['name']) === false ? stripslashes($userInfo['name']) : '');
         $session->set('user-lastname', empty($userInfo['lastname']) === false ? stripslashes($userInfo['lastname']) : '');
         $session->set('user-id', (int) $userInfo['id']);
-        $session->set('user-password', $passwordClear);
         $session->set('user-admin', (int) $userInfo['admin']);
         $session->set('user-manager', (int) $userInfo['gestionnaire']);
         $session->set('user-can_manage_all_users', $userInfo['can_manage_all_users']);
@@ -1463,20 +1462,19 @@ function finalizeAuthentication(
             'id = %i',
             $userInfo['id']
         );
-    } elseif ($passwordManager->verifyPassword($userInfo['pw'], $passwordClear) === false) {
+    } elseif ($passwordManager->verifyPassword($hashedPassword, $passwordClear) === false) {
         // Case where user is auth by LDAP but his password in Teampass is not synchronized
         // For example when user has changed his password in AD.
         // So we need to update it in Teampass and ask for private key re-encryption
         DB::update(
             prefixTable('users'),
             [
-                'pw' => $hashedPassword,
+                'pw' => $passwordManager->hashPassword($passwordClear),
             ],
             'id = %i',
             $userInfo['id']
         );
     }
-    if (WIP === true) error_log("finalizeAuthentication - hashedPassword: " . $hashedPassword. " | ".$passwordManager->verifyPassword($userInfo['pw'], $passwordClear)." || ".$passwordClear);
 }
 
 /**
@@ -2520,6 +2518,21 @@ function createOauth2User(
         // Oauth2 user already exists and authenticated
         if (WIP === true) error_log("--- USER AUTHENTICATED ---");
         $userInfo['has_been_created'] = 0;
+
+        $passwordManager = new PasswordManager();
+
+        // Update user hash un database if needed
+        if (!$passwordManager->verifyPassword($userInfo['pw'], $passwordClear)) {
+            DB::update(
+                prefixTable('users'),
+                [
+                    'pw' => $passwordManager->hashPassword($passwordClear),
+                ],
+                'id = %i',
+                $userInfo['id']
+            );
+        }
+
         return [
             'error' => false,
             'retExternalAD' => $userInfo,
@@ -2528,7 +2541,7 @@ function createOauth2User(
         ];
     }
 
-    // return if no addmin
+    // return if no admin
     return [
         'error' => false,
         'retLDAP' => [],
diff --git a/sources/main.functions.php b/sources/main.functions.php
index e4ba3b7fe..aa8104b34 100755
--- a/sources/main.functions.php
+++ b/sources/main.functions.php
@@ -3632,6 +3632,7 @@ function handleUserKeys(
             'pw' => $hashedPassword,
             'public_key' => $userKeys['public_key'],
             'private_key' => $userKeys['private_key'],
+            'keys_recovery_time' => NULL,
         ),
         'id=%i',
         $userId
@@ -3641,6 +3642,8 @@ function handleUserKeys(
     if ($userId === $session->get('user-id')) {
         $session->set('user-private_key', $userKeys['private_key_clear']);
         $session->set('user-public_key', $userKeys['public_key']);
+        // Notify user that he must re download his keys:
+        $session->set('user-keys_recovery_time', NULL);
     }
 
     // Manage empty encryption key
@@ -4165,7 +4168,7 @@ function handleUserRecoveryKeysDownload(int $userId, array $SETTINGS):string
     $session = SessionManager::getSession();
     // Check if user exists
     $userInfo = DB::queryFirstRow(
-        'SELECT pw, public_key, private_key, login, name
+        'SELECT login
         FROM ' . prefixTable('users') . '
         WHERE id = %i',
         $userId
@@ -4177,8 +4180,8 @@ function handleUserRecoveryKeysDownload(int $userId, array $SETTINGS):string
         $export_value = file_get_contents(__DIR__."/../includes/core/teampass_ascii.txt")."\n".
             "Generation date: ".date($SETTINGS['date_format'] . ' ' . $SETTINGS['time_format'], $now)."\n\n".
             "RECOVERY KEYS - Not to be shared - To be store safely\n\n".
-            "Public Key:\n".$userInfo['public_key']."\n\n".
-            "Private Key:\n".decryptPrivateKey($session->get('user-password'), $userInfo['private_key'])."\n\n";
+            "Public Key:\n".$session->get('user-public_key')."\n\n".
+            "Private Key:\n".$session->get('user-private_key')."\n\n";
 
         // Update user's keys_recovery_time
         DB::update(
diff --git a/sources/main.queries.php b/sources/main.queries.php
index c9d36aa89..60b4ba1f9 100755
--- a/sources/main.queries.php
+++ b/sources/main.queries.php
@@ -212,6 +212,7 @@ function mainQuery(array $SETTINGS)
 function passwordHandler(string $post_type, /*php8 array|null|string*/ $dataReceived, array $SETTINGS): string
 {
     $session = SessionManager::getSession();
+    $lang = new Language($session->get('user-language') ?? 'english');
 
     switch ($post_type) {
         case 'change_pw'://action_password
@@ -239,10 +240,33 @@ function passwordHandler(string $post_type, /*php8 array|null|string*/ $dataRece
          * User's authentication password in LDAP has changed
          */
         case 'change_user_ldap_auth_password'://action_password
+
+            // Users passwords are html escaped
+            $userPassword = filter_var($dataReceived['current_password'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+
+            // Get current user hash
+            $userHash = DB::queryFirstRow(
+                "SELECT pw FROM " . prefixtable('users') . " WHERE id = %d;",
+                $session->get('user-id')
+            )['pw'];
+
+            $passwordManager = new PasswordManager();
+
+            // Verify provided user password
+            if (!$passwordManager->verifyPassword($userHash, $userPassword)) {
+                return prepareExchangedData(
+                    array(
+                        'error' => true,
+                        'message' => $lang->get('error_bad_credentials'),
+                    ),
+                    'encode'
+                );
+            }
+
             return /** @scrutinizer ignore-call */ changeUserLDAPAuthenticationPassword(
                 (int) $session->get('user-id'),
                 filter_var($dataReceived['previous_password'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
-                filter_var($dataReceived['current_password'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
+                filter_var($userPassword),
                 $SETTINGS
             );
 
@@ -561,6 +585,7 @@ function mailHandler(string $post_type, /*php8 array|null|string */$dataReceived
 function keyHandler(string $post_type, /*php8 array|null|string */$dataReceived, array $SETTINGS): string
 {
     $session = SessionManager::getSession();
+    $lang = new Language($session->get('user-language') ?? 'english');
 
     // List of post types allowed to all users
     $all_users_can_access = [
@@ -648,10 +673,33 @@ function keyHandler(string $post_type, /*php8 array|null|string */$dataReceived,
          * User's public/private keys change
          */
         case 'change_private_key_encryption_password'://action_key
+
+            // Users passwords are html escaped
+            $newPassword = filter_var($dataReceived['new_code'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+
+            // Get current user hash
+            $userHash = DB::queryFirstRow(
+                "SELECT pw FROM " . prefixtable('users') . " WHERE id = %d;",
+                $session->get('user-id')
+            )['pw'];
+
+            $passwordManager = new PasswordManager();
+
+            // Verify provided user password
+            if (!$passwordManager->verifyPassword($userHash, $newPassword)) {
+                return prepareExchangedData(
+                    array(
+                        'error' => true,
+                        'message' => $lang->get('error_bad_credentials'),
+                    ),
+                    'encode'
+                );
+            }
+
             return changePrivateKeyEncryptionPassword(
                 (int) filter_var($filtered_user_id, FILTER_SANITIZE_NUMBER_INT),
                 (string) $dataReceived['current_code'],
-                (string) filter_var($dataReceived['new_code'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
+                (string) $newPassword,
                 (string) filter_var($dataReceived['action_type'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
                 $SETTINGS
             );
@@ -661,14 +709,35 @@ function keyHandler(string $post_type, /*php8 array|null|string */$dataReceived,
          */
         case 'user_new_keys_generation'://action_key
 
-            // Handle the case where no PWD is provided (user reset his own encryption keys).
-            if (empty($dataReceived['user_pwd']) && (int) $filtered_user_id === $session->get('user-id')) {
-                $dataReceived['user_pwd'] = $session->get('user-password');
+            // Users passwords are html escaped
+            $userPassword = filter_var($dataReceived['user_pwd'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+
+            // Don't generate new user password -> verify it
+            if ($dataReceived['generate_user_new_password'] !== true) {
+
+                // Get current user hash
+                $userHash = DB::queryFirstRow(
+                    "SELECT pw FROM " . prefixtable('users') . " WHERE id = %d;",
+                    $session->get('user-id')
+                )['pw'];
+
+                $passwordManager = new PasswordManager();
+
+                // Verify provided user password
+                if (!$passwordManager->verifyPassword($userHash, $userPassword)) {
+                    return prepareExchangedData(
+                        array(
+                            'error' => true,
+                            'message' => $lang->get('error_bad_credentials'),
+                        ),
+                        'encode'
+                    );
+                }
             }
 
             return handleUserKeys(
                 (int) filter_var($filtered_user_id, FILTER_SANITIZE_NUMBER_INT),
-                (string) filter_var($dataReceived['user_pwd'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
+                (string) $userPassword,
                 (int) isset($SETTINGS['maximum_number_of_items_to_treat']) === true ? $SETTINGS['maximum_number_of_items_to_treat'] : NUMBER_ITEMS_IN_BATCH,
                 (string) filter_var($dataReceived['encryption_key'], FILTER_SANITIZE_FULL_SPECIAL_CHARS),
                 (bool) filter_var($dataReceived['delete_existing_keys'], FILTER_VALIDATE_BOOLEAN),
@@ -1776,19 +1845,15 @@ function changePrivateKeyEncryptionPassword(
     $lang = new Language($session->get('user-language') ?? 'english');
     
     if (empty($post_new_code) === true) {
-        if (empty($session->get('user-password')) === false) {
-            $post_new_code = $session->get('user-password');
-        } else {
-            // no user password???
-            return prepareExchangedData(
-                array(
-                    'error' => true,
-                    'message' => $lang->get('error_no_user_password_exists'),
-                    'debug' => '',
-                ),
-                'encode'
-            );
-        }
+        // no user password
+        return prepareExchangedData(
+            array(
+                'error' => true,
+                'message' => $lang->get('error_bad_credentials'),
+                'debug' => '',
+            ),
+            'encode'
+        );
     }
 
     if (isUserIdValid($post_user_id) === true) {
diff --git a/sources/users.queries.php b/sources/users.queries.php
index 82461f9f8..355e0d81d 100755
--- a/sources/users.queries.php
+++ b/sources/users.queries.php
@@ -3203,6 +3203,23 @@
             $post_user_pwd = isset($dataReceived['user_pwd']) === true ? ($dataReceived['user_pwd']) : '';
             $post_user_code = ($dataReceived['user_code']);
 
+            // Search TP_USER in db        
+            $userTP = DB::queryFirstRow(
+                'SELECT pw
+                FROM ' . prefixTable('users') . '
+                WHERE id = %i',
+                TP_USER_ID
+            );
+            if (DB::count() === 0) {
+                return prepareExchangedData(
+                    array(
+                        'error' => true,
+                        'message' => 'User not exists',
+                    ),
+                    'encode'
+                );
+            }
+
             // Create process
             DB::insert(
                 prefixTable('background_tasks'),
@@ -3213,8 +3230,8 @@
                         'new_user_id' => (int) $post_user_id,
                         'new_user_pwd' => empty($post_user_pwd) === true ? '' : cryption($post_user_pwd, '','encrypt', $SETTINGS)['string'],
                         'new_user_code' => cryption($post_user_code, '','encrypt', $SETTINGS)['string'],
-                        'owner_id' => (int) $session->get('user-id'),
-                        'creator_pwd' => cryption($session->get('user-password'), '','encrypt', $SETTINGS)['string'],
+                        'owner_id' => (int) TP_USER_ID,
+                        'creator_pwd' => $userTP['pw'],
                         'email_body' => $lang->get('email_body_user_config_5'),
                         'send_email' => 1,
                     ]),
@@ -3325,6 +3342,8 @@
                     'otp_provided' => 0,
                     'ongoing_process_id' => $processId,
                     'special' => 'generate-keys',
+                    // Notify user that he must re download his keys:
+                    'keys_recovery_time' => NULL,
                 ),
                 'id = %i',
                 $post_user_id