diff --git a/api/user.go b/api/user.go
index fcf4f862..a8b44dcb 100644
--- a/api/user.go
+++ b/api/user.go
@@ -68,7 +68,7 @@ func (create UserCreate) Validate() error {
 		return fmt.Errorf("username is too long, maximum length is 32")
 	}
 	if len(create.Password) < 3 {
-		return fmt.Errorf("password is too short, minimum length is 6")
+		return fmt.Errorf("password is too short, minimum length is 3")
 	}
 	if len(create.Password) > 512 {
 		return fmt.Errorf("password is too long, maximum length is 512")
@@ -114,7 +114,7 @@ func (patch UserPatch) Validate() error {
 		return fmt.Errorf("username is too long, maximum length is 32")
 	}
 	if patch.Password != nil && len(*patch.Password) < 3 {
-		return fmt.Errorf("password is too short, minimum length is 6")
+		return fmt.Errorf("password is too short, minimum length is 3")
 	}
 	if patch.Password != nil && len(*patch.Password) > 512 {
 		return fmt.Errorf("password is too long, maximum length is 512")
diff --git a/setup/setup_test.go b/setup/setup_test.go
index fd6af383..03bcdee6 100644
--- a/setup/setup_test.go
+++ b/setup/setup_test.go
@@ -101,7 +101,7 @@ func TestSetupServiceCreateUser(t *testing.T) {
 		},
 		`username != "", password == ""`: {
 			hostUsername: expectedCreated.Username,
-			expectedErr:  "validate: password is too short, minimum length is 6",
+			expectedErr:  "validate: password is too short, minimum length is 3",
 		},
 		"failed to create": {
 			setupStore: func(m *storeMock) {