diff --git a/docs/Using Fleet/fleetctl-CLI.md b/docs/Using Fleet/fleetctl-CLI.md
index 474218d6a3..bf173307dd 100644
--- a/docs/Using Fleet/fleetctl-CLI.md	
+++ b/docs/Using Fleet/fleetctl-CLI.md	
@@ -202,7 +202,7 @@ An API-only user does not have access to the Fleet UI. Instead, it's only purpos
 To create your new API-only user, run `fleetctl user create` and pass values for `--name`, `--email`, and `--password`, and include the `--api-only` flag:
 
 ```sh
-fleetctl user create --name "API User" --email api@example.com --password temp!pass --api-only
+fleetctl user create --name "API User" --email api@example.com --password temp@pass123 --api-only
 ```
 
 ### Creating an API-only user
diff --git a/server/fleet/users.go b/server/fleet/users.go
index 48b4502f24..45f36c8d13 100644
--- a/server/fleet/users.go
+++ b/server/fleet/users.go
@@ -353,7 +353,7 @@ func ValidatePasswordRequirements(password string) error {
 		return nil
 	}
 
-	return errors.New("Password does not meet required criteria")
+	return errors.New("Password does not meet required criteria: Must include 12 characters, at least 1 number (e.g. 0 - 9), and at least 1 symbol (e.g. &*#).")
 }
 
 // ValidateEmail checks that the provided email address is valid, this function
diff --git a/server/service/users.go b/server/service/users.go
index f3841fbfdf..c735045778 100644
--- a/server/service/users.go
+++ b/server/service/users.go
@@ -863,7 +863,7 @@ func (svc *Service) PerformRequiredPasswordReset(ctx context.Context, password s
 	}
 
 	if err := fleet.ValidatePasswordRequirements(password); err != nil {
-		return nil, fleet.NewInvalidArgumentError("new_password", "Password does not meet required criteria")
+		return nil, fleet.NewInvalidArgumentError("new_password", "Password does not meet required criteria: Must include 12 characters, at least 1 number (e.g. 0 - 9), and at least 1 symbol (e.g. &*#).")
 	}
 
 	user.AdminForcedPasswordReset = false