diff --git a/lib/model/query/users.js b/lib/model/query/users.js
index fb752c6fb..024df4d39 100644
--- a/lib/model/query/users.js
+++ b/lib/model/query/users.js
@@ -36,7 +36,9 @@ update.audit = (user, data) => (log) => log('user.update', user.actor, { data: d
 const updatePassword = (user, cleartext) => ({ run }) =>
   (cleartext.length < 10
     ? reject(Problem.user.passwordTooShort())
-    : hashPassword(cleartext))
+    : Buffer.from(cleartext).length > 72
+      ? reject(Problem.user.passwordTooLong())
+      : hashPassword(cleartext))
     .then((hash) => run(sql`update users set password=${hash} where "actorId"=${user.actor.id}`));
 updatePassword.audit = (user) => (log) => log('user.update', user.actor, { data: { password: true } });
 
diff --git a/lib/util/problem.js b/lib/util/problem.js
index 444480edd..a56ca834e 100644
--- a/lib/util/problem.js
+++ b/lib/util/problem.js
@@ -140,6 +140,8 @@ const problems = {
 
     encodingNotSupported: problem(400.37, () => 'Encoding not supported.'),
 
+    passwordTooLong: problem(400.38, () => 'The password or passphrase provided exceeds the maximum length.'),
+
     // no detail information for security reasons.
     authenticationFailed: problem(401.2, () => 'Could not authenticate with the provided credentials.'),