diff --git a/src/user.js b/src/user.js
index f27b7b7d9..0a82aef4a 100644
--- a/src/user.js
+++ b/src/user.js
@@ -71,6 +71,9 @@ UserError.BAD_PASSWORD = 'Bad password';
 UserError.BAD_TOKEN = 'Bad token';
 UserError.NOT_ALLOWED = 'Not Allowed';
 
+// http://www.w3resource.com/javascript/form/example4-javascript-form-validation-password.html
+var gPasswordTestRegExp = /^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[^a-zA-Z0-9])(?!.*\s).{8,20}$/;
+
 function listUsers(callback) {
     assert.strictEqual(typeof callback, 'function');
 
@@ -93,7 +96,7 @@ function validateUsername(username) {
 function validatePassword(password) {
     assert.strictEqual(typeof password, 'string');
 
-    if (password.length < 5) return new UserError(UserError.BAD_PASSWORD, 'Password must be atleast 5 chars');
+    if(!password.value.match(gPasswordTestRegExp)) return new UserError(UserError.BAD_PASSWORD, 'Password must be 8-20 character with at least one uppercase, one numeric and one special character');
 
     return null;
 }