diff --git a/backend/flow_api/flow/credential_usage/action_password_recovery.go b/backend/flow_api/flow/credential_usage/action_password_recovery.go
index 34f6e841..06118373 100644
--- a/backend/flow_api/flow/credential_usage/action_password_recovery.go
+++ b/backend/flow_api/flow/credential_usage/action_password_recovery.go
@@ -30,7 +30,8 @@ func (a PasswordRecovery) Initialize(c flowpilot.InitializationContext) {
 
 	c.AddInputs(flowpilot.PasswordInput("new_password").
 		Required(true).
-		MinLength(deps.Cfg.Password.MinLength),
+		MinLength(deps.Cfg.Password.MinLength).
+		MaxLength(72),
 	)
 
 	if !deps.Cfg.Password.Enabled {
@@ -41,6 +42,10 @@ func (a PasswordRecovery) Initialize(c flowpilot.InitializationContext) {
 func (a PasswordRecovery) Execute(c flowpilot.ExecutionContext) error {
 	deps := a.GetDeps(c)
 
+	if valid := c.ValidateInputData(); !valid {
+		return c.Error(flowpilot.ErrorFormDataInvalid)
+	}
+
 	newPassword := c.Input().Get("new_password").String()
 
 	if !c.Stash().Get(shared.StashPathUserID).Exists() {