diff --git a/packages/component-user-manager/src/routes/users/changePassword.js b/packages/component-user-manager/src/routes/users/changePassword.js
index 30073accccd603baa60cdea466dc3a35ded680f1..040fd872958cfb8856e74f26ffe010b3cb406b37 100644
--- a/packages/component-user-manager/src/routes/users/changePassword.js
+++ b/packages/component-user-manager/src/routes/users/changePassword.js
@@ -1,15 +1,16 @@
 const { services } = require('pubsweet-component-helper-service')
 const { token } = require('pubsweet-server/src/authentication')
+const { passwordStrengthRegex } = require('config')
 
 module.exports = models => async (req, res) => {
   const { password, newPassword } = req.body
   if (!services.checkForUndefinedParams(password, newPassword))
     return res.status(400).json({ error: 'Missing required params.' })
 
-  if (newPassword.length < 7)
-    return res
-      .status(400)
-      .json({ error: 'Password needs to be at least 7 characters long.' })
+  if (!passwordStrengthRegex.test(newPassword))
+    return res.status(400).json({
+      error: 'Password is too weak. Please check password requirements.',
+    })
 
   let user
   try {
diff --git a/packages/component-user-manager/src/routes/users/post.js b/packages/component-user-manager/src/routes/users/post.js
index 8150e2ca77f46131c69325b591e5a58dcd93ad1c..44595c0ae46cb5549f0b95f1c0e315df3666f3e2 100644
--- a/packages/component-user-manager/src/routes/users/post.js
+++ b/packages/component-user-manager/src/routes/users/post.js
@@ -1,5 +1,6 @@
 const { pick } = require('lodash')
 const Chance = require('chance')
+const { passwordStrengthRegex } = require('config')
 
 const chance = new Chance()
 
@@ -15,6 +16,10 @@ module.exports = models => async (req, res) => {
         error: 'Terms & Conditions must be read and approved.',
       })
     }
+    if (!passwordStrengthRegex.test(req.body.password))
+      return res.status(400).json({
+        error: 'Password is too weak. Please check password requirements.',
+      })
     req.body = pick(req.body, [
       'email',
       'title',
diff --git a/packages/component-user-manager/src/routes/users/resetPassword.js b/packages/component-user-manager/src/routes/users/resetPassword.js
index b46c9cafdccf18ddab7facd6e629cc4a0f92a065..c42dd4cc1037f15b22acb0f0899b1cf97e420eae 100644
--- a/packages/component-user-manager/src/routes/users/resetPassword.js
+++ b/packages/component-user-manager/src/routes/users/resetPassword.js
@@ -1,14 +1,16 @@
 const { services } = require('pubsweet-component-helper-service')
 
+const { passwordStrengthRegex } = require('config')
+
 module.exports = models => async (req, res) => {
   const { email, password, token } = req.body
   if (!services.checkForUndefinedParams(email, password, token))
     return res.status(400).json({ error: 'missing required params' })
 
-  if (password.length < 7)
-    return res
-      .status(400)
-      .json({ error: 'password needs to be at least 7 characters long' })
+  if (!passwordStrengthRegex.test(req.body.password))
+    return res.status(400).json({
+      error: 'Password is too weak. Please check password requirements.',
+    })
 
   const validateResponse = await services.validateEmailAndToken({
     email,
diff --git a/packages/xpub-faraday/config/default.js b/packages/xpub-faraday/config/default.js
index 4ac021c51ead4f114dd58b376a2619050fc5687d..016905070ad0eed9c426ad6a3c8b7e3e6f612d55 100644
--- a/packages/xpub-faraday/config/default.js
+++ b/packages/xpub-faraday/config/default.js
@@ -142,4 +142,7 @@ module.exports = {
       editor: 'editorRecommendation',
     },
   },
+  passwordStrengthRegex: new RegExp(
+    '^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[!@#$%^&*])(?=.{6,128})',
+  ),
 }