diff --git a/src/Core/Users/User.php b/src/Core/Users/User.php
index da2a0aa19..db1ed8e54 100755
--- a/src/Core/Users/User.php
+++ b/src/Core/Users/User.php
@@ -32,6 +32,7 @@ use Flarum\Core\Support\Locked;
 use Flarum\Core\Support\VisibleScope;
 use Flarum\Core\Support\EventGenerator;
 use Flarum\Core\Support\ValidatesBeforeSave;
+use Flarum\Core\Exceptions\ValidationException;
 
 /**
  * @todo document database columns with @property
@@ -149,6 +150,8 @@ class User extends Model
     {
         $user = new static;
 
+        $this->assertValidPassword($password);
+
         $user->username  = $username;
         $user->email     = $email;
         $user->password  = $password;
@@ -225,6 +228,8 @@ class User extends Model
      */
     public function changePassword($password)
     {
+        $this->assertValidPassword($password);
+
         $this->password = $password;
 
         $this->raise(new UserPasswordWasChanged($this));
@@ -232,6 +237,20 @@ class User extends Model
         return $this;
     }
 
+    /**
+     * Validate password input.
+     *
+     * @param string $password
+     * @return void
+     * @throws \Flarum\Core\Exceptions\ValidationException
+     */
+    protected function assertValidPassword($password)
+    {
+        if (strlen($password) < 8) {
+            throw new ValidationException(['password' => 'Password must be at least 8 characters']);
+        }
+    }
+
     /**
      * Set the password attribute, storing it as a hash.
      *