diff --git a/src/api2/types.rs b/src/api2/types.rs
index 23753842..eb9c4310 100644
--- a/src/api2/types.rs
+++ b/src/api2/types.rs
@@ -32,6 +32,8 @@ const_regex!{
     pub SHA256_HEX_REGEX = r"^[a-f0-9]{64}$"; // fixme: define in common_regex ?
     pub SYSTEMD_DATETIME_REGEX = r"^\d{4}-\d{2}-\d{2}( \d{2}:\d{2}(:\d{2})?)?$"; //  fixme: define in common_regex ?
 
+    pub PASSWORD_REGEX = r"^[[:^cntrl:]]*$"; // everything but control characters
+
     /// Regex for safe identifiers.
     ///
     /// This
diff --git a/src/config/remotes.rs b/src/config/remotes.rs
index 8fc26a51..46f3b780 100644
--- a/src/config/remotes.rs
+++ b/src/config/remotes.rs
@@ -14,9 +14,9 @@ lazy_static! {
     static ref CONFIG: SectionConfig = init();
 }
 
-// fixme: define better schemas
-
 pub const REMOTE_PASSWORD_SCHEMA: Schema = StringSchema::new("Password or auth token for remote host.")
+    .format(&PASSWORD_REGEX)
+    .min_length(1)
     .max_length(1024)
     .schema();