diff --git a/backend/auth/password.go b/backend/auth/password.go
index 724e63563..82856f1ef 100644
--- a/backend/auth/password.go
+++ b/backend/auth/password.go
@@ -16,6 +16,10 @@ func ValidatePassword(password string) error {
 		errs = append(errs, "must be at least 8 characters long")
 	}
 
+	if len(password) > 128 { // see https://github.com/OWASP/ASVS/issues/756
+		errs = append(errs, "must be at most 128 characters long")
+	}
+
 	if !hasDigit(password) {
 		errs = append(errs, "must contain at least one digit")
 	}
diff --git a/backend/entities/auth/base/models.go b/backend/entities/auth/base/models.go
index a15a48349..0657ac760 100644
--- a/backend/entities/auth/base/models.go
+++ b/backend/entities/auth/base/models.go
@@ -7,8 +7,8 @@ type VerifyEmailRequestBody struct {
 
 type VerifyPasswordResetTokenRequestBody struct {
 	Token             string `json:"token" validate:"required"`
-	NewPassword       string `json:"new_password" validate:"required,min=8,password"`
-	VerifyNewPassword string `json:"verify_new_password" validate:"required,min=8,password,eqfield=NewPassword"`
+	NewPassword       string `json:"new_password" validate:"required"`                            // MARK: must be validated manually
+	VerifyNewPassword string `json:"verify_new_password" validate:"required,eqfield=NewPassword"` // MARK: must be validated manually
 }
 
 type EmailRequestBody struct {
diff --git a/backend/entities/auth/models.go b/backend/entities/auth/models.go
index 7272b50d8..dc65fbb76 100644
--- a/backend/entities/auth/models.go
+++ b/backend/entities/auth/models.go
@@ -2,12 +2,12 @@ package auth
 
 type LoginResponseBody struct {
 	Email    string `json:"email" validate:"required,email"`
-	Password string `json:"password" validate:"required,max=255"` // MARK: must be validated manually
+	Password string `json:"password" validate:"required"` // MARK: must be validated manually
 }
 
 type UpdatePasswordRequestBody struct {
-	OldPassword string `json:"old_password" validate:"required,max=255"`                                    // MARK: must be validated manually
-	NewPassword string `json:"new_password" validate:"required,not_equal_if_not_empty=OldPassword,max=255"` // MARK: must be validated manually
+	OldPassword string `json:"old_password" validate:"required"`                                    // MARK: must be validated manually
+	NewPassword string `json:"new_password" validate:"required,not_equal_if_not_empty=OldPassword"` // MARK: must be validated manually
 }
 
 type RefreshTokenRequestBody struct {