diff --git a/app/User/UseCases/CreateUser.php b/app/User/UseCases/CreateUser.php
index cfec430..49dfb71 100644
--- a/app/User/UseCases/CreateUser.php
+++ b/app/User/UseCases/CreateUser.php
@@ -21,6 +21,16 @@ class CreateUser
             throw new BadRequestException('email is required');
         }
 
+        if ($dto->password === null) {
+            throw new BadRequestException('password is required');
+        }
+
+        if (strlen($dto->password) < 8) {
+            throw new BadRequestException(
+                'password must be at least 8 characters'
+            );
+        }
+
         $email = new EmailAddress($dto->email);
         if ($this->userRepo->findByEmail($email) !== null) {
             throw new BadRequestException('email already taken');
@@ -28,6 +38,7 @@ class CreateUser
 
         $this->userRepo->create(new CreateUserDto(
             email: $email,
+            passwordHash: password_hash($dto->password, PASSWORD_DEFAULT),
             isAdmin: $dto->isAdmin,
         ));
     }