I've had to add :registrationable to allow editing of passwords etc

Althouth I need to remove the routes for sign_up.

app/models/user.rb

@@ -1,5 +1,5 @@
 class User < ApplicationRecord
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
-  devise :database_authenticatable, :recoverable, :rememberable, :validatable, :lockable, :timeoutable, :trackable
+  devise :database_authenticatable, :recoverable, :rememberable, :validatable, :lockable, :timeoutable, :trackable, :registerable
 end

app/views/devise/shared/_links.html.erb

@@ -2,7 +2,7 @@
   <%= link_to "Log in", new_session_path(resource_name) %><br />
 <% end %>
 
-<%- if devise_mapping.registerable? && controller_name != 'registrations' %>
+<%- if devise_mapping.registerable? && controller_name != 'registrations' && false %>
   <%= link_to "Sign up", new_registration_path(resource_name) %><br />
 <% end %>
 

app/views/domains/index.html.erb

@@ -1,3 +1,5 @@
+<% if user_signed_in? %><%= link_to current_user.email, edit_user_password_path %><% end %>
+
 <h1>Domains <%= link_to "Add new domain",new_domain_path %> </h1>
 
 <div id="domains">

config/initializers/devise.rb

@@ -178,7 +178,7 @@ Devise.setup do |config|
 
   # ==> Configuration for :validatable
   # Range for password length.
-  config.password_length = 6..128
+  config.password_length = 16..128
 
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
@@ -208,7 +208,7 @@ Devise.setup do |config|
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 3
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour