diff --git a/backend/internal/handlers/admin_handlers.go b/backend/internal/handlers/admin_handlers.go
index dc9ab0c..3a212bc 100644
--- a/backend/internal/handlers/admin_handlers.go
+++ b/backend/internal/handlers/admin_handlers.go
@@ -14,14 +14,14 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-type CreateUserRequest struct {
+type createUserRequest struct {
 	Email       string          `json:"email"`
 	DisplayName string          `json:"displayName"`
 	Password    string          `json:"password"`
 	Role        models.UserRole `json:"role"`
 }
 
-type UpdateUserRequest struct {
+type updateUserRequest struct {
 	Email       string          `json:"email,omitempty"`
 	DisplayName string          `json:"displayName,omitempty"`
 	Password    string          `json:"password,omitempty"`
@@ -44,7 +44,7 @@ func (h *Handler) AdminListUsers() http.HandlerFunc {
 // AdminCreateUser creates a new user
 func (h *Handler) AdminCreateUser() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var req CreateUserRequest
+		var req createUserRequest
 		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 			http.Error(w, "Invalid request body", http.StatusBadRequest)
 			return
@@ -63,6 +63,12 @@ func (h *Handler) AdminCreateUser() http.HandlerFunc {
 			return
 		}
 
+		// Check if password is long enough
+		if len(req.Password) < 8 {
+			http.Error(w, "Password must be at least 8 characters", http.StatusBadRequest)
+			return
+		}
+
 		// Hash password
 		hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
 		if err != nil {
@@ -129,7 +135,7 @@ func (h *Handler) AdminUpdateUser() http.HandlerFunc {
 			return
 		}
 
-		var req UpdateUserRequest
+		var req updateUserRequest
 		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 			http.Error(w, "Invalid request body", http.StatusBadRequest)
 			return