diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index da4c3a2ce11362de844102a64e9b2c3e7880feda..9f69e0d2c5eccb3a3d9fed0a742cb7d5f88f0d1f 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -99,9 +99,16 @@ function setup(app) {
    * the staged user account transitions to a valid user account */
   app.post('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) {
 
-    // bcrypt the password
     // we should be cloning this object here.
     var stageParams = req.body;
+
+    // issue #155, valid password length is between 8 and 80 chars.
+    if (stageParams.pass.length < 8 || stageParams.pass.length > 80) {
+      httputils.badRequest(resp, "valid passwords are between 8 and 80 chars");
+      return;
+    }
+
+    // bcrypt the password
     stageParams['hash'] = bcrypt.encrypt_sync(stageParams.pass, bcrypt.gen_salt_sync(10));
 
     try {