diff --git a/src/Administration.php b/src/Administration.php
index 9247b30..3eb629f 100644
--- a/src/Administration.php
+++ b/src/Administration.php
@@ -384,7 +384,7 @@ final class Administration extends UserManager {
 	 */
 	public function changePasswordForUserById($userId, $newPassword) {
 		$userId = (int) $userId;
-		$newPassword = self::validatePassword($newPassword);
+		$newPassword = self::validatePassword($newPassword, true);
 
 		$this->updatePasswordInternal(
 			$userId,
diff --git a/src/Auth.php b/src/Auth.php
index cedb56b..855d371 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -779,7 +779,7 @@ final class Auth extends UserManager {
 	 */
 	public function changePasswordWithoutOldPassword($newPassword) {
 		if ($this->isLoggedIn()) {
-			$newPassword = self::validatePassword($newPassword);
+			$newPassword = self::validatePassword($newPassword, true);
 			$this->updatePasswordInternal($this->getUserId(), $newPassword);
 
 			try {
@@ -1560,7 +1560,7 @@ final class Auth extends UserManager {
 			if ((int) $resetData['resettable'] === 1) {
 				if (\password_verify($token, $resetData['token'])) {
 					if ($resetData['expires'] >= \time()) {
-						$newPassword = self::validatePassword($newPassword);
+						$newPassword = self::validatePassword($newPassword, true);
 						$this->updatePasswordInternal($resetData['user'], $newPassword);
 						$this->forceLogoutForUserById($resetData['user']);
 
diff --git a/src/UserManager.php b/src/UserManager.php
index 7c4a1dc..620c737 100644
--- a/src/UserManager.php
+++ b/src/UserManager.php
@@ -132,7 +132,7 @@ abstract class UserManager {
 		\ignore_user_abort(true);
 
 		$email = self::validateEmailAddress($email);
-		$password = self::validatePassword($password);
+		$password = self::validatePassword($password, true);
 
 		$username = isset($username) ? \trim($username) : null;
 
@@ -315,20 +315,28 @@ abstract class UserManager {
 	 * Validates a password
 	 *
 	 * @param string $password the password to validate
+	 * @param bool|null $isNewPassword (optional) whether the password is a new password that the user wants to use
 	 * @return string the sanitized password
 	 * @throws InvalidPasswordException if the password has been invalid
 	 */
-	protected static function validatePassword($password) {
+	protected static function validatePassword($password, $isNewPassword = null) {
 		if (empty($password)) {
 			throw new InvalidPasswordException();
 		}
 
 		$password = \trim($password);
+		$isNewPassword = ($isNewPassword !== null) ? (bool) $isNewPassword : false;
 
 		if (\strlen($password) < 1) {
 			throw new InvalidPasswordException();
 		}
 
+		if ($isNewPassword) {
+			if (\strlen($password) > 72) {
+				throw new InvalidPasswordException();
+			}
+		}
+
 		return $password;
 	}