diff --git a/src/charm.py b/src/charm.py
index c5eb3fd..165e9c2 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -521,10 +521,37 @@ class CephISCSIGatewayCharmBase(
             rbd_pool_name = self.data_pool_name
         return rbd_pool_name, ec_rbd_metadata_pool
 
+    def _validate_str(self, value, allowed, min_len, max_len, typ):
+        if any(s for s in value if s not in allowed):
+            raise ValueError('%s can only contain: %s' % (typ, allowed))
+        elif len(value) < min_len or len(value) > max_len:
+            raise ValueError('%s must be between %d and %d characters long' %
+                             (typ, min_len, max_len))
+
+    def _validate_username(self, value):
+        self._validate_str(value, string.ascii_letters + string.digits +
+                           '.@-_:', 8, 64, 'username')
+
+    def _validate_password(self, value):
+        self._validate_str(value, string.ascii_letters + string.digits +
+                           '@-_/', 12, 16, 'password')
+
     def on_create_target_action(self, event):
         """Create an iSCSI target."""
         gw_client = gwcli_client.GatewayClient()
         target = event.params.get('iqn', self.DEFAULT_TARGET)
+        username = event.params['client-username']
+        passwd = event.params['client-password']
+        try:
+            self._validate_username(username)
+            self._validate_password(passwd)
+        except ValueError as exc:
+            logging.error(str(exc))
+            fail_str = 'invalid username or password: %s' % str(exc)
+            event.fail(fail_str)
+            event.set_results({'err': fail_str})
+            return
+
         gateway_units = event.params.get(
             'gateway-units',
             [u for u in self.peers.ready_peer_details.keys()])
@@ -567,8 +594,8 @@ class CephISCSIGatewayCharmBase(
         gw_client.add_client_auth(
             target,
             event.params['client-initiatorname'],
-            event.params['client-username'],
-            event.params['client-password'])
+            username,
+            passwd)
         gw_client.add_disk_to_client(
             target,
             event.params['client-initiatorname'],
diff --git a/unit_tests/test_ceph_iscsi_charm.py b/unit_tests/test_ceph_iscsi_charm.py
index b5d3083..02e29ab 100644
--- a/unit_tests/test_ceph_iscsi_charm.py
+++ b/unit_tests/test_ceph_iscsi_charm.py
@@ -237,7 +237,7 @@ class TestCephISCSIGatewayCharmBase(CharmTestCase):
             'image-size': '5G',
             'client-initiatorname': 'client-initiator',
             'client-username': 'myusername',
-            'client-password': 'mypassword'}
+            'client-password': 'mypassword123'}
         self.harness.charm.on_create_target_action(action_event)
         self.gwc.add_gateway_to_target.assert_has_calls([
             call(
@@ -260,7 +260,7 @@ class TestCephISCSIGatewayCharmBase(CharmTestCase):
             'iqn.mock.iscsi-gw:iscsi-igw',
             'client-initiator',
             'myusername',
-            'mypassword')
+            'mypassword123')
         self.gwc.add_disk_to_client.assert_called_once_with(
             'iqn.mock.iscsi-gw:iscsi-igw',
             'client-initiator',
@@ -283,7 +283,7 @@ class TestCephISCSIGatewayCharmBase(CharmTestCase):
             'image-size': '5G',
             'client-initiatorname': 'client-initiator',
             'client-username': 'myusername',
-            'client-password': 'mypassword'}
+            'client-password': 'mypassword123'}
         self.harness.charm.on_create_target_action(action_event)
         self.subprocess.check_call.assert_called_once_with(
             [
@@ -315,7 +315,7 @@ class TestCephISCSIGatewayCharmBase(CharmTestCase):
             'iqn.mock.iscsi-gw:iscsi-igw',
             'client-initiator',
             'myusername',
-            'mypassword')
+            'mypassword123')
         self.gwc.add_disk_to_client.assert_called_once_with(
             'iqn.mock.iscsi-gw:iscsi-igw',
             'client-initiator',