diff --git a/config/crds/iam.kubesphere.io_users.yaml b/config/crds/iam.kubesphere.io_users.yaml
index b250c2ec8..999d4eb9c 100644
--- a/config/crds/iam.kubesphere.io_users.yaml
+++ b/config/crds/iam.kubesphere.io_users.yaml
@@ -58,6 +58,9 @@ spec:
                 type: string
               password:
                 description: password will be encrypted by mutating admission webhook
+                maxLength: 64
+                minLength: 6
+                pattern: ^(.*[a-z].*[A-Z].*[0-9].*)$|^(.*[a-z].*[0-9].*[A-Z].*)$|^(.*[A-Z].*[a-z].*[0-9].*)$|^(.*[A-Z].*[0-9].*[a-z].*)$|^(.*[0-9].*[a-z].*[A-Z].*)$|^(.*[0-9].*[A-Z].*[a-z].*)$|^(\$2[ayb]\$.{56})$
                 type: string
             required:
             - email
diff --git a/staging/src/kubesphere.io/api/iam/v1alpha2/types.go b/staging/src/kubesphere.io/api/iam/v1alpha2/types.go
index 9128a256a..fba79c779 100644
--- a/staging/src/kubesphere.io/api/iam/v1alpha2/types.go
+++ b/staging/src/kubesphere.io/api/iam/v1alpha2/types.go
@@ -124,7 +124,20 @@ type UserSpec struct {
 	DisplayName string `json:"displayName,omitempty"`
 	// +optional
 	Groups []string `json:"groups,omitempty"`
+
 	// password will be encrypted by mutating admission webhook
+	// +kubebuilder:validation:MinLength=6
+	// +kubebuilder:validation:MaxLength=64
+	// +kubebuilder:validation:Pattern=`^(.*[a-z].*[A-Z].*[0-9].*)$|^(.*[a-z].*[0-9].*[A-Z].*)$|^(.*[A-Z].*[a-z].*[0-9].*)$|^(.*[A-Z].*[0-9].*[a-z].*)$|^(.*[0-9].*[a-z].*[A-Z].*)$|^(.*[0-9].*[A-Z].*[a-z].*)$|^(\$2[ayb]\$.{56})$`
+	// Password pattern is tricky here.
+	// The rule is simple: length between [6,64], at least one uppercase letter, one lowercase letter, one digit.
+	// The regexp in console(javascript) is quite straightforward: ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[^]{6,64}$
+	// But in Go, we don't have ?= (back tracking) capability in regexp (also in CRD validation pattern)
+	// So we adopted an alternative scheme to achieve.
+	// Use 6 different regexp to combine to achieve the same effect.
+	// These six schemes enumerate the arrangement of numbers, uppercase letters, and lowercase letters
+	// that appear for the first time.
+	// Last but not least, the bcrypt string is also included to match the encrypted password. ^(\$2[ayb]\$.{56})$
 	EncryptedPassword string `json:"password,omitempty"`
 }