maybe you should authenticate the form using html and javascript or doing something like this
https://guides.rubyonrails.org/active_record_validations.html

I tried but not worked here for me, so, I should use some regex in html and javascript, but I think rails has a better way.

Yes, you can simply add this in your user model: "validates :password, presence: true". Thus, it's attaching an error "Password can't be blank" to your model's instance which is displayed on the edit view. What I don't understand is that, when you don't add this validation and submit an empty form, you do get redirected to the rootpah with the notice "password updated!", which means Current.user.update(password_params) is working. So I would expect the password to be changed to an empty string, but it is not the case. The password remains unchanged. I hope it makes sense, sorry, english is not my native language.

Ok, so answering to myself: this is a default implementation (discussed here: https://github.com/rails/rails/issues/34348). And the reason for this implementation is, I quote: "the reason the password is ignored for empty strings is that if a user has a form with multiple fields (including password) and they update details but don't enter the password, then we want to allow the other details to be updated without the password being effected.". Makes sense eventually :)

Nice catch! That was really interesting to learn & try.

Scratch that... no issue. My poor spelling was the problem. Only took 45 minutes to figure that out. :/