diff --git a/commafeed-server/config.dev.yml b/commafeed-server/config.dev.yml
index d5aa62de..2da0ba27 100644
--- a/commafeed-server/config.dev.yml
+++ b/commafeed-server/config.dev.yml
@@ -6,6 +6,9 @@ app:
   
   # wether to allow user registrations
   allowRegistrations: true
+
+  # whether to enable strict password validation (1 uppercase char, 1 lowercase char, 1 digit, 1 special char)
+  strictPasswordPolicy: true
   
   # create a demo account the first time the app starts
   createDemoAccount: true
diff --git a/commafeed-server/config.yml.example b/commafeed-server/config.yml.example
index f990e1d6..490c8fca 100644
--- a/commafeed-server/config.yml.example
+++ b/commafeed-server/config.yml.example
@@ -6,6 +6,9 @@ app:
   
   # whether to allow user registrations
   allowRegistrations: false
+
+  # whether to enable strict password validation (1 uppercase char, 1 lowercase char, 1 digit, 1 special char)
+  strictPasswordPolicy: true
   
   # create a demo account the first time the app starts
   createDemoAccount: false
diff --git a/commafeed-server/src/main/java/com/commafeed/CommaFeedApplication.java b/commafeed-server/src/main/java/com/commafeed/CommaFeedApplication.java
index 9061c970..27dbe007 100644
--- a/commafeed-server/src/main/java/com/commafeed/CommaFeedApplication.java
+++ b/commafeed-server/src/main/java/com/commafeed/CommaFeedApplication.java
@@ -33,6 +33,7 @@ import com.commafeed.backend.model.UserSettings;
 import com.commafeed.backend.service.DatabaseStartupService;
 import com.commafeed.backend.service.UserService;
 import com.commafeed.backend.task.ScheduledTask;
+import com.commafeed.frontend.auth.PasswordConstraintValidator;
 import com.commafeed.frontend.auth.SecurityCheckFactoryProvider;
 import com.commafeed.frontend.resource.AdminREST;
 import com.commafeed.frontend.resource.CategoryREST;
@@ -150,6 +151,8 @@ public class CommaFeedApplication extends Application<CommaFeedConfiguration> {
 
 	@Override
 	public void run(CommaFeedConfiguration config, Environment environment) throws Exception {
+		PasswordConstraintValidator.setStrict(config.getApplicationSettings().getStrictPasswordPolicy());
+
 		// guice init
 		Injector injector = Guice.createInjector(new CommaFeedModule(hibernateBundle.getSessionFactory(), config, environment.metrics()));
 
diff --git a/commafeed-server/src/main/java/com/commafeed/CommaFeedConfiguration.java b/commafeed-server/src/main/java/com/commafeed/CommaFeedConfiguration.java
index 5dbc3d11..0532f626 100644
--- a/commafeed-server/src/main/java/com/commafeed/CommaFeedConfiguration.java
+++ b/commafeed-server/src/main/java/com/commafeed/CommaFeedConfiguration.java
@@ -69,6 +69,10 @@ public class CommaFeedConfiguration extends Configuration {
 		@Valid
 		private Boolean allowRegistrations;
 
+		@NotNull
+		@Valid
+		private Boolean strictPasswordPolicy = true;
+
 		@NotNull
 		@Valid
 		private Boolean createDemoAccount;
diff --git a/commafeed-server/src/main/java/com/commafeed/frontend/auth/PasswordConstraintValidator.java b/commafeed-server/src/main/java/com/commafeed/frontend/auth/PasswordConstraintValidator.java
index 784aebd0..afd2a17d 100644
--- a/commafeed-server/src/main/java/com/commafeed/frontend/auth/PasswordConstraintValidator.java
+++ b/commafeed-server/src/main/java/com/commafeed/frontend/auth/PasswordConstraintValidator.java
@@ -14,8 +14,13 @@ import org.passay.PasswordValidator;
 import org.passay.RuleResult;
 import org.passay.WhitespaceRule;
 
+import lombok.Setter;
+
 public class PasswordConstraintValidator implements ConstraintValidator<ValidPassword, String> {
 
+	@Setter
+	private static boolean strict = true;
+
 	@Override
 	public void initialize(ValidPassword constraintAnnotation) {
 		// nothing to do
@@ -27,7 +32,7 @@ public class PasswordConstraintValidator implements ConstraintValidator<ValidPas
 			return true;
 		}
 
-		PasswordValidator validator = buildPasswordValidator();
+		PasswordValidator validator = strict ? buildStrictPasswordValidator() : buildLoosePasswordValidator();
 		RuleResult result = validator.validate(new PasswordData(value));
 
 		if (result.isValid()) {
@@ -40,10 +45,10 @@ public class PasswordConstraintValidator implements ConstraintValidator<ValidPas
 		return false;
 	}
 
-	private PasswordValidator buildPasswordValidator() {
+	private PasswordValidator buildStrictPasswordValidator() {
 		return new PasswordValidator(
 				// length
-				new LengthRule(8, 128),
+				new LengthRule(8, 256),
 				// 1 uppercase char
 				new CharacterRule(EnglishCharacterData.UpperCase, 1),
 				// 1 lowercase char
@@ -56,4 +61,12 @@ public class PasswordConstraintValidator implements ConstraintValidator<ValidPas
 				new WhitespaceRule());
 	}
 
+	private PasswordValidator buildLoosePasswordValidator() {
+		return new PasswordValidator(
+				// length
+				new LengthRule(6, 256),
+				// no whitespace
+				new WhitespaceRule());
+	}
+
 }
diff --git a/commafeed-server/src/test/resources/config.test.yml b/commafeed-server/src/test/resources/config.test.yml
index 3606668a..b755d359 100644
--- a/commafeed-server/src/test/resources/config.test.yml
+++ b/commafeed-server/src/test/resources/config.test.yml
@@ -6,6 +6,9 @@ app:
   
   # wether to allow user registrations
   allowRegistrations: true
+
+  # whether to enable strict password validation (1 uppercase char, 1 lowercase char, 1 digit, 1 special char)
+  strictPasswordPolicy: true
   
   # create a demo account the first time the app starts
   createDemoAccount: false