diff --git a/src/porchlight/app.py b/src/porchlight/app.py
index 91bb490..d399923 100644
--- a/src/porchlight/app.py
+++ b/src/porchlight/app.py
@@ -128,6 +128,7 @@ def create_app(settings: Settings | None = None) -> FastAPI:
     )
 
     # Rate limiting
+    limiter.enabled = settings.rate_limit_enabled
     app.state.limiter = limiter
 
     @app.exception_handler(RateLimitExceeded)
diff --git a/src/porchlight/config.py b/src/porchlight/config.py
index 90e036e..38fb597 100644
--- a/src/porchlight/config.py
+++ b/src/porchlight/config.py
@@ -52,6 +52,9 @@ class Settings(BaseSettings):
     # Magic links
     invite_ttl: int = 86400  # seconds
 
+    # Rate limiting (disable for e2e/load tests that authenticate repeatedly)
+    rate_limit_enabled: bool = True
+
     # Signing keys
     signing_key_path: str = "data/keys"
 
diff --git a/src/porchlight/templates/manage/credentials.html b/src/porchlight/templates/manage/credentials.html
index 6d4c269..a37221e 100644
--- a/src/porchlight/templates/manage/credentials.html
+++ b/src/porchlight/templates/manage/credentials.html
@@ -38,7 +38,8 @@
         {% else %}
         <p>No password set.</p>
         {% endif %}
-        <form hx-post="/manage/credentials/password" hx-target="#password-section" hx-swap="innerHTML">
+        <div id="password-error"></div>
+        <form hx-post="/manage/credentials/password" hx-target="#password-error" hx-swap="innerHTML">
             <input type="hidden" name="csrf_token" value="{{ csrf_token_processor(request) }}">
             {% if has_password %}
             <div>
diff --git a/tests/e2e/credentials.spec.js b/tests/e2e/credentials.spec.js
index 0270822..bc5fd3f 100644
--- a/tests/e2e/credentials.spec.js
+++ b/tests/e2e/credentials.spec.js
@@ -42,6 +42,7 @@ test.describe('Credentials page', () => {
 
   test.describe('Password validation', () => {
     test('shows mismatch error', async ({ page }) => {
+      await page.fill('#current_password', fixtures.cred_password);
       await page.fill('#password', 'newpassword1');
       await page.fill('#confirm', 'newpassword2');
       await page.click('#password-section button[type="submit"]');
@@ -51,6 +52,23 @@ test.describe('Credentials page', () => {
       await expect(alert).toContainText('do not match');
     });
 
+    test('keeps the password form visible after a validation error', async ({ page }) => {
+      await page.fill('#current_password', fixtures.cred_password);
+      await page.fill('#password', 'newpassword1');
+      await page.fill('#confirm', 'newpassword2');
+      await page.click('#password-section button[type="submit"]');
+
+      const alert = page.locator('#password-section [role="alert"]');
+      await expect(alert).toBeVisible({ timeout: 5000 });
+
+      // Regression: the form and its inputs must NOT disappear on error.
+      await expect(page.locator('#password')).toBeVisible();
+      await expect(page.locator('#confirm')).toBeVisible();
+      await expect(
+        page.locator('#password-section button[type="submit"]'),
+      ).toBeVisible();
+    });
+
     test('password input has minlength="8"', async ({ page }) => {
       await expect(page.locator('#password')).toHaveAttribute('minlength', '8');
     });
@@ -62,8 +80,9 @@ test.describe('Credentials page', () => {
 
   test.describe('Password change', () => {
     test('succeeds with matching passwords', async ({ page }) => {
-      await page.fill('#password', 'newpassword123');
-      await page.fill('#confirm', 'newpassword123');
+      await page.fill('#current_password', fixtures.cred_password);
+      await page.fill('#password', 'purple-tiger-mountain-42');
+      await page.fill('#confirm', 'purple-tiger-mountain-42');
       await page.click('#password-section button[type="submit"]');
 
       const status = page.locator('#password-section [role="status"]');
diff --git a/tests/e2e/full-flow.spec.js b/tests/e2e/full-flow.spec.js
index 5d472f6..be797d2 100644
--- a/tests/e2e/full-flow.spec.js
+++ b/tests/e2e/full-flow.spec.js
@@ -30,8 +30,8 @@ test.describe('Full user journey', () => {
     await expect(passwordInput).toBeVisible();
     await expect(confirmInput).toBeVisible();
 
-    await passwordInput.fill('mypassword123');
-    await confirmInput.fill('mypassword123');
+    await passwordInput.fill('purple-tiger-mountain-42');
+    await confirmInput.fill('purple-tiger-mountain-42');
     await page.click('#password-section button[type="submit"]');
 
     // Wait for success message
@@ -51,7 +51,7 @@ test.describe('Full user journey', () => {
 
     // ---- Step 4: Login with the password we just set ----
     await page.fill('#username', fixtures.register_username);
-    await page.fill('#password', 'mypassword123');
+    await page.fill('#password', 'purple-tiger-mountain-42');
     await page.click('form[hx-post="/login/password"] button[type="submit"]');
 
     // Wait for redirect to credentials page
diff --git a/tests/e2e/run.sh b/tests/e2e/run.sh
index 7a9f9b4..7b6156e 100755
--- a/tests/e2e/run.sh
+++ b/tests/e2e/run.sh
@@ -28,6 +28,7 @@ echo "Starting Porchlight on port ${PORT}..."
 echo "  DB: ${OIDC_OP_SQLITE_PATH}"
 OIDC_OP_ISSUER="${TARGET_URL}" \
 OIDC_OP_DEBUG=true \
+OIDC_OP_RATE_LIMIT_ENABLED=false \
   uv run --directory "$PROJECT_ROOT" \
   uvicorn porchlight.app:create_app \
     --factory --host 127.0.0.1 --port "$PORT" \