diff --git a/post.php b/post.php
index fa069370..0a7959c2 100644
--- a/post.php
+++ b/post.php
@@ -1011,6 +1011,11 @@ function handle_post(Context $ctx)
         }
     }
 
+    // We must do this check now before the passowrd is hashed and overwritten.
+    if (\mb_strlen($_POST['password']) > 20) {
+        error(\sprintf($config['error']['toolong'], 'password'));
+    }
+
     $post['name'] = $_POST['name'] != '' ? $_POST['name'] : $config['anonymous'];
     $post['subject'] = $_POST['subject'];
     $post['email'] = str_replace(' ', '%20', htmlspecialchars($_POST['email']));