diff --git a/server/fleet/users.go b/server/fleet/users.go
index 0549b86416..94f22292bd 100644
--- a/server/fleet/users.go
+++ b/server/fleet/users.go
@@ -404,6 +404,7 @@ func saltAndHashPassword(keySize int, plaintext string, cost int) (hashed []byte
 		return nil, "", err
 	}
 
+	salt = salt[:keySize]
 	withSalt := []byte(fmt.Sprintf("%s%s", plaintext, salt))
 	hashed, err = bcrypt.GenerateFromPassword(withSalt, cost)
 	if err != nil {
diff --git a/server/fleet/users_test.go b/server/fleet/users_test.go
index a1c9c12c78..1c4e45a655 100644
--- a/server/fleet/users_test.go
+++ b/server/fleet/users_test.go
@@ -164,11 +164,11 @@ func TestUserPasswordRequirements(t *testing.T) {
 }
 
 func TestSaltAndHashPassword(t *testing.T) {
-	passwordTests := []string{"foobar!!", "bazbing!!"}
+	goodTests := []string{"foobar!!", "bazbing!!", "foobarbaz!!!foobarbaz!!!foobarbaz!!!foobarbaz!!", "foobarbaz!!!foobarbaz!!!foobarbaz!!!foobarbaz!!!"}
 	keySize := 24
 	cost := 10
 
-	for _, pwd := range passwordTests {
+	for _, pwd := range goodTests {
 		hashed, salt, err := saltAndHashPassword(keySize, pwd, cost)
 		require.NoError(t, err)
 
@@ -178,6 +178,14 @@ func TestSaltAndHashPassword(t *testing.T) {
 
 		err = bcrypt.CompareHashAndPassword(hashed, []byte(fmt.Sprint("invalidpassword", salt)))
 		require.Error(t, err)
+
+		// too long
+		badTests := []string{"foobarbaz!!!foobarbaz!!!foobarbaz!!!foobarbaz!!!!"}
+		for _, pwd := range badTests {
+			_, _, err := saltAndHashPassword(keySize, pwd, cost)
+			require.Error(t, err)
+
+		}
 	}
 }