diff --git a/src/test/users-test.js b/src/test/users-test.js
index d035791de..b2f82a614 100644
--- a/src/test/users-test.js
+++ b/src/test/users-test.js
@@ -169,7 +169,7 @@ describe('User', function () {
         });
 
         it('fails due to invalid username', function (done) {
-            users.create('moo-daemon', PASSWORD, EMAIL, DISPLAY_NAME, AUDIT_SOURCE, function (error, result) {
+            users.create('moo+daemon', PASSWORD, EMAIL, DISPLAY_NAME, AUDIT_SOURCE, function (error, result) {
                 expect(error).to.be.ok();
                 expect(result).to.not.be.ok();
                 expect(error.reason).to.equal(UsersError.BAD_FIELD);
diff --git a/src/users.js b/src/users.js
index 61c31ac81..f03d5d7be 100644
--- a/src/users.js
+++ b/src/users.js
@@ -91,8 +91,8 @@ function validateUsername(username) {
 
     if (constants.RESERVED_NAMES.indexOf(username) !== -1) return new UsersError(UsersError.BAD_FIELD, 'Username is reserved');
 
-    // +/- can be tricky in emails. also need to consider valid LDAP characters here (e.g '+' is reserved)
-    if (/[^a-zA-Z0-9.]/.test(username)) return new UsersError(UsersError.BAD_FIELD, 'Username can only contain alphanumerals and dot');
+    // also need to consider valid LDAP characters here (e.g '+' is reserved)
+    if (/[^a-zA-Z0-9.-]/.test(username)) return new UsersError(UsersError.BAD_FIELD, 'Username can only contain alphanumerals, dot and -');
 
     // app emails are sent using the .app suffix
     if (username.indexOf('.app') !== -1) return new UsersError(UsersError.BAD_FIELD, 'Username pattern is reserved for apps');