diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/BpmProvider.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/BpmProvider.java
index c1d3a0192..6bdc46329 100644
--- a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/BpmProvider.java
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/BpmProvider.java
@@ -54,6 +54,8 @@
 import org.cibseven.webapp.rest.model.Message;
 import org.cibseven.webapp.rest.model.Metric;
 import org.cibseven.webapp.rest.model.NewUser;
+import org.cibseven.webapp.rest.model.PasswordPolicyRequest;
+import org.cibseven.webapp.rest.model.PasswordPolicyResponse;
 import org.cibseven.webapp.rest.model.Process;
 import org.cibseven.webapp.rest.model.ProcessDiagram;
 import org.cibseven.webapp.rest.model.ProcessInstance;
@@ -77,6 +79,7 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 
+import io.jsonwebtoken.security.Password;
 import jakarta.servlet.http.HttpServletRequest;
 
 public interface BpmProvider {
@@ -1263,4 +1266,6 @@ Collection<ActivityInstanceHistory> findActivitiesProcessDefinitionHistory(Strin
 	 */
 	void createSetupUser(NewUser user, String engine) throws InvalidUserIdException;
 
+	PasswordPolicyResponse validatePasswordPolicy(PasswordPolicyRequest request) throws SystemException;
+
 }
diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/IIdentityProvider.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/IIdentityProvider.java
new file mode 100644
index 000000000..642c69c1f
--- /dev/null
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/IIdentityProvider.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright CIB software GmbH and/or licensed to CIB software GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. CIB software licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.cibseven.webapp.providers;
+
+import org.cibseven.webapp.exception.SystemException;
+import org.cibseven.webapp.rest.model.PasswordPolicyRequest;
+import org.cibseven.webapp.rest.model.PasswordPolicyResponse;
+
+public interface IIdentityProvider {
+    public PasswordPolicyResponse validatePasswordPolicy(PasswordPolicyRequest request) throws SystemException;
+
+}
diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/IdentityProvider.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/IdentityProvider.java
new file mode 100644
index 000000000..bd36bc7b2
--- /dev/null
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/IdentityProvider.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright CIB software GmbH and/or licensed to CIB software GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. CIB software licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.cibseven.webapp.providers;
+
+import java.util.ArrayList;
+import java.util.Map;
+
+import org.cibseven.webapp.exception.SystemException;
+import org.cibseven.webapp.rest.model.PasswordPolicyRequest;
+import org.cibseven.webapp.rest.model.PasswordPolicyResponse;
+import org.springframework.stereotype.Component;
+import org.springframework.web.client.HttpClientErrorException;
+
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@Component
+public class IdentityProvider extends SevenProviderBase implements IIdentityProvider {
+
+    public PasswordPolicyResponse validatePasswordPolicy(PasswordPolicyRequest request)
+            throws SystemException {
+        String url = getEngineRestUrl() + "/identity/password-policy";
+        Map<String, Object> body = Map.of(
+                "password", request.getPassword(),
+                "profile", request.getProfile());
+        try {
+            return doPost(url, body, PasswordPolicyResponse.class, null).getBody();
+            // when enable-password-policy is switched off the endpoint will return 404, so
+            // we catch this and return a default response
+        } catch (SystemException e) {
+            Throwable cause = e.getCause();
+            if (cause instanceof HttpClientErrorException.NotFound) {
+                return new PasswordPolicyResponse(true, new ArrayList<>());
+            }
+            throw e;
+        }
+    }
+}
diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/SevenProvider.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/SevenProvider.java
index ec86fcac1..bffbd31c8 100644
--- a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/SevenProvider.java
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/providers/SevenProvider.java
@@ -54,6 +54,8 @@
 import org.cibseven.webapp.rest.model.Message;
 import org.cibseven.webapp.rest.model.Metric;
 import org.cibseven.webapp.rest.model.NewUser;
+import org.cibseven.webapp.rest.model.PasswordPolicyRequest;
+import org.cibseven.webapp.rest.model.PasswordPolicyResponse;
 import org.cibseven.webapp.rest.model.Process;
 import org.cibseven.webapp.rest.model.ProcessDiagram;
 import org.cibseven.webapp.rest.model.ProcessInstance;
@@ -101,6 +103,7 @@ public class SevenProvider extends SevenProviderBase implements BpmProvider {
     @Autowired private ITenantProvider tenantProvider;
     @Autowired private IExternalTaskProvider externalTaskProvider;
     @Autowired private IEngineProvider engineProvider;
+	@Autowired private IdentityProvider identityProvider;
     
     
     /*
@@ -1330,4 +1333,8 @@ public Boolean requiresSetup(String engine) {
 	public void createSetupUser(NewUser user, String engine) throws InvalidUserIdException {
 		engineProvider.createSetupUser(user, engine);
 	}
+	@Override
+	public PasswordPolicyResponse validatePasswordPolicy(PasswordPolicyRequest request) throws SystemException {
+		return identityProvider.validatePasswordPolicy(request);
+	}
 }
diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/SetupService.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/SetupService.java
index c53adf425..361a97257 100644
--- a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/SetupService.java
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/SetupService.java
@@ -18,6 +18,8 @@
 
 import org.cibseven.webapp.providers.BpmProvider;
 import org.cibseven.webapp.rest.model.NewUser;
+import org.cibseven.webapp.rest.model.PasswordPolicyRequest;
+import org.cibseven.webapp.rest.model.PasswordPolicyResponse;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -46,14 +48,14 @@
 public class SetupService extends BaseService implements InitializingBean {
 
 	@Autowired BpmProvider bpmProvider;
-	
+
 	@Value("${cibseven.webclient.user.provider:org.cibseven.webapp.auth.SevenUserProvider}")
 	String userProvider;
-  
-  	// Initial setup is only available for internal providers, not for external identity
+
+	// Initial setup is only available for internal providers, not for external identity
 	// providers like LDAP, ADFS, or SSO where users are managed externally.
 	private static final String SEVEN_USER_PROVIDER = "org.cibseven.webapp.auth.SevenUserProvider";
-	
+
 	@Override
 	public void afterPropertiesSet() {
 	}
@@ -75,7 +77,7 @@ public void afterPropertiesSet() {
 	@GetMapping("/status")
 	public boolean requiresSetup(
 			@RequestHeader(value = "X-Process-Engine", required = false) String engine) {
-    	// Setup is only applicable when using internal user provider (SevenUserProvider)
+		// Setup is only applicable when using internal user provider (SevenUserProvider)
 		// For external identity providers (LDAP, ADFS, SSO), users are managed externally
 		if (!SEVEN_USER_PROVIDER.equals(userProvider)) {
 			return false;
@@ -105,18 +107,25 @@ public boolean requiresSetup(
 	public ResponseEntity<Void> createInitialUser(
 			@RequestBody NewUser newUser,
 			@RequestHeader(value = "X-Process-Engine", required = false) String engine) {
-    	// Setup is only applicable when using internal user provider (SevenUserProvider)
+		// Setup is only applicable when using internal user provider (SevenUserProvider)
 		if (!SEVEN_USER_PROVIDER.equals(userProvider)) {
 			return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
 		}
 		if (!bpmProvider.requiresSetup(engine)) {
 			return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
 		}
-		
+
 		// Create the admin user - backend handles group and authorization setup
 		bpmProvider.createSetupUser(newUser, engine);
 		
 		return ResponseEntity.status(HttpStatus.CREATED).build();
 	}
-	
+
+	@PostMapping("/validate-password")
+	public PasswordPolicyResponse validatePasswordPolicy(@RequestBody PasswordPolicyRequest request) {
+
+		PasswordPolicyResponse response = bpmProvider.validatePasswordPolicy(request);
+
+		return response;
+	}
 }
diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/model/PasswordPolicyRequest.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/model/PasswordPolicyRequest.java
new file mode 100644
index 000000000..cfe18b840
--- /dev/null
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/model/PasswordPolicyRequest.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright CIB software GmbH and/or licensed to CIB software GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. CIB software licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.cibseven.webapp.rest.model;
+
+import java.util.List;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import lombok.ToString;
+
+@Getter @Setter @ToString @AllArgsConstructor @NoArgsConstructor 
+public class PasswordPolicyRequest {
+    private String password;
+    private Profile profile;
+
+    @Getter @Setter @ToString @AllArgsConstructor @NoArgsConstructor 
+    public static class Profile {
+        private String id;
+        private String firstName;
+        private String lastName;
+        private String email;
+
+    }
+}
\ No newline at end of file
diff --git a/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/model/PasswordPolicyResponse.java b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/model/PasswordPolicyResponse.java
new file mode 100644
index 000000000..11fb3b61f
--- /dev/null
+++ b/cibseven-webclient-core/src/main/java/org/cibseven/webapp/rest/model/PasswordPolicyResponse.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright CIB software GmbH and/or licensed to CIB software GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. CIB software licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.cibseven.webapp.rest.model;
+
+import java.util.List;
+import java.util.Map;
+
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import lombok.ToString;
+
+@Getter @Setter @ToString @AllArgsConstructor @NoArgsConstructor 
+public class PasswordPolicyResponse {
+    private boolean valid;
+    private List<Map<String, Object>> rules;
+
+}
\ No newline at end of file
diff --git a/frontend/src/assets/translations_de.json b/frontend/src/assets/translations_de.json
index 021eb7995..628690186 100644
--- a/frontend/src/assets/translations_de.json
+++ b/frontend/src/assets/translations_de.json
@@ -1176,14 +1176,14 @@
 		"policy": {
 			"title": "Passwortrichtlinien",
 			"header": "Ihr Passwort muss die folgenden Kriterien erfüllen: ",
-			"items": [
-				"darf keine Benutzerdaten enthalten (z.B. Benutzer-ID, Vorname, Nachname, E-Mail)",
-				"Mindestlänge von 10 Zeichen",
-				"mindestens ein Großbuchstabe",
-				"mindestens ein Kleinbuchstabe",
-				"mindestens eine Ziffer",
-				"mindestens ein Sonderzeichen"
-			]
+			"items": {
+				"PASSWORD_POLICY_USER_DATA": "darf keine Benutzerdaten enthalten (z.B. Benutzer-ID, Vorname, Nachname, E-Mail)",
+				"PASSWORD_POLICY_LENGTH": "Mindestlänge von {minLength} Zeichen",
+				"PASSWORD_POLICY_LOWERCASE": "mindestens {minLowerCase} Kleinbuchstabe(n)",
+				"PASSWORD_POLICY_UPPERCASE": "mindestens {minUpperCase} Großbuchstabe(n)",
+				"PASSWORD_POLICY_DIGIT": "mindestens {minDigit} Ziffer(n)",
+				"PASSWORD_POLICY_SPECIAL": "mindestens {minSpecial} Sonderzeichen"
+			}
 		},
 		"recover": {
 			"sendEmail": "Wiederherstellungs-E-Mail senden",
@@ -1309,4 +1309,4 @@
 			"description": "Sie versuchen, auf die Prozess-Engine \"{0}\" zuzugreifen. Diese Engine ist für die Verwendung des integrierten Identitätsdienstes (Datenbank) konfiguriert, hat jedoch keine administrativen Benutzer eingerichtet. Auf dieser Seite können Sie einen ersten Benutzer für den Zugriff auf die Prozess-Engine erstellen."
 		}
 	}
-}
+}
\ No newline at end of file
diff --git a/frontend/src/assets/translations_en.json b/frontend/src/assets/translations_en.json
index cab4687dd..73b2e1940 100644
--- a/frontend/src/assets/translations_en.json
+++ b/frontend/src/assets/translations_en.json
@@ -1186,14 +1186,14 @@
 		"policy": {
 			"title": "Password Policy",
 			"header": "Your password must fulfil the following criteria: ",
-			"items": [
-				"must not contain user data (i.e., user ID, first name, last name, email)",
-				"minimum length of 10 characters",
-				"at least one upper case character",
-				"at least one lower case character",
-				"at least one digit",
-				"at least one special character"
-			]
+			"items": {
+				"PASSWORD_POLICY_USER_DATA": "must not contain user data (i.e., user ID, first name, last name, email)",
+				"PASSWORD_POLICY_LENGTH": "minimum length of {minLength} characters",
+				"PASSWORD_POLICY_LOWERCASE": "at least {minLowerCase} lower case character",
+				"PASSWORD_POLICY_UPPERCASE": "at least {minUpperCase} upper case character",
+				"PASSWORD_POLICY_DIGIT": "at least {minDigit} digit",
+				"PASSWORD_POLICY_SPECIAL": "at least {minSpecial} special character"
+			}
 		}
 	},
 	"advanced-search": {
diff --git a/frontend/src/assets/translations_es.json b/frontend/src/assets/translations_es.json
index da08aa7ee..7def2fe43 100644
--- a/frontend/src/assets/translations_es.json
+++ b/frontend/src/assets/translations_es.json
@@ -1185,14 +1185,14 @@
 		"policy": {
 			"title": "Política de contraseñas",
 			"header": "Su contraseña debe cumplir los siguientes criterios: ",
-			"items": [
-				"no debe contener datos de usuario (p.ej., ID de usuario, nombre, apellidos, correo electrónico)",
-				"10 caracteres como mínimo",
-				"al menos un carácter mayúsculo",
-				"al menos un carácter minúsculo",
-				"al menos una cifra",
-				"al menos un carácter especial"
-			]
+			"items": {
+				"PASSWORD_POLICY_USER_DATA": "no debe contener datos de usuario (p.ej., ID de usuario, nombre, apellidos, correo electrónico)",
+				"PASSWORD_POLICY_LENGTH": "mínimo {minLength} caracteres",
+				"PASSWORD_POLICY_LOWERCASE": "al menos {minLowerCase} carácter minúsculo",
+				"PASSWORD_POLICY_UPPERCASE": "al menos {minUpperCase} carácter mayúsculo",
+				"PASSWORD_POLICY_DIGIT": "al menos {minDigit} cifra",
+				"PASSWORD_POLICY_SPECIAL": "al menos {minSpecial} carácter especial"
+			}	
 		}
 	},
 	"advanced-search": {
diff --git a/frontend/src/assets/translations_ru.json b/frontend/src/assets/translations_ru.json
index 9cf72c278..28f9f9790 100644
--- a/frontend/src/assets/translations_ru.json
+++ b/frontend/src/assets/translations_ru.json
@@ -1185,14 +1185,14 @@
 		"policy": {
 			"title": "Политика паролей",
 			"header": "Ваш пароль должен соответствовать следующим критериям: ",
-			"items": [
-				"не должно содержать данные пользователя (т. е. идентификатор пользователя, имя, фамилия, адрес электронной почты)",
-				"минимальная длина 10 символов",
-				"хотя бы один символ верхнего регистра",
-				"хотя бы один символ нижнего регистра",
-				"хотя бы одна цифра",
-				"хотя бы один специальный символ"
-			]
+			"items": {
+			"PASSWORD_POLICY_USER_DATA": "не должно содержать данные пользователя (т. е. идентификатор пользователя, имя, фамилия, адрес электронной почты)",
+			"PASSWORD_POLICY_LENGTH": "минимальная длина {minLength} символов",
+			"PASSWORD_POLICY_LOWERCASE": "хотя бы {minLowerCase} символ нижнего регистра",
+			"PASSWORD_POLICY_UPPERCASE": "хотя бы {minUpperCase} символ верхнего регистра",
+			"PASSWORD_POLICY_DIGIT": "хотя бы {minDigit} цифра",
+			"PASSWORD_POLICY_SPECIAL": "хотя бы {minSpecial} специальный символ"
+			}
 		}
 	},
 	"advanced-search": {
diff --git a/frontend/src/assets/translations_ua.json b/frontend/src/assets/translations_ua.json
index c40adac95..9a576cd9a 100644
--- a/frontend/src/assets/translations_ua.json
+++ b/frontend/src/assets/translations_ua.json
@@ -1185,14 +1185,14 @@
 		"policy": {
 			"title": "Політика паролів",
 			"header": "Ваш пароль має відповідати таким критеріям:",
-			"items": [
-				"не повинен містити дані користувача (ідентифікатор, ім’я, прізвище, email)",
-				"мінімальна довжина 10 символів",
-				"щонайменше один символ верхнього регістру",
-				"щонайменше один символ нижнього регістру",
-				"щонайменше одна цифра",
-				"щонайменше один спеціальний символ"
-			]
+			"items": {
+				"PASSWORD_POLICY_USER_DATA": "не повинен містити дані користувача (ідентифікатор, ім’я, прізвище, email)",
+				"PASSWORD_POLICY_LENGTH": "мінімальна довжина {minLength} символів",
+				"PASSWORD_POLICY_LOWERCASE": "щонайменше {minLowerCase} символ нижнього регістру",
+				"PASSWORD_POLICY_UPPERCASE": "щонайменше {minUpperCase} символ верхнього регістру",
+				"PASSWORD_POLICY_DIGIT": "щонайменше {minDigit} цифра",
+				"PASSWORD_POLICY_SPECIAL": "щонайменше {minSpecial} спеціальний символ"
+			}
 		}
 	},
 	"advanced-search": {
diff --git a/frontend/src/components/admin/CreateUser.vue b/frontend/src/components/admin/CreateUser.vue
index 989ea4099..8cc7abbfe 100644
--- a/frontend/src/components/admin/CreateUser.vue
+++ b/frontend/src/components/admin/CreateUser.vue
@@ -32,15 +32,23 @@
                   <b-form-group label-cols-sm="2" label-align-sm="left">
                     <template v-slot:label>
                       {{ $t('admin.users.password') + '*' }}
-                      <span v-if="$root.config.admin.passwordPolicyEnabled" ref="passwordHelper" style="cursor: pointer" class="mdi mdi-help-circle" :class="passwordPolicyError ? 'text-danger' : 'text-secondary'"></span>
                     </template>
-                    <b-form-input :type="fieldType(showPassword)" ref="pass" v-model="credentials.password" :state="notEmpty(credentials.password) && !passwordPolicyError" required>
+                    <b-form-input :type="fieldType(showPassword)" ref="pass" v-model="credentials.password" :state="notEmpty(credentials.password) && passwordValid" @blur="validatePassword" @input="resetPasswordValidation" required>
                       <template v-slot:append>
                         <button class="btn btn-outline-secondary rounded-start-0" type="button" @click="showPassword = !showPassword">
                           <span :class="showPassword ? 'mdi mdi-eye-off' : 'mdi mdi-eye'"></span>
                         </button>
                       </template>
                     </b-form-input>
+                    <div v-if="passwordValid === false" class="invalid-feedback d-block">
+                    <h6>{{ $t('password.policy.title') }}</h6>
+                    <div>{{ $t('password.policy.header') }}</div>
+                    <ul>
+                      <li v-for="(item, idx) in invalidPasswordRules" :key="idx">
+                        {{ $t('password.policy.items.' + item.placeholder, item.parameter) }}
+                      </li>
+                    </ul>
+                  </div>
                     <div v-if="passwordPolicyError" class="text-danger">{{ $t('errors.PasswordPolicyException') }}</div>
                   </b-form-group>
                   <b-form-group :label="$t('admin.users.passwordRepeat') + '*'" label-cols-sm="2" label-align-sm="left">
@@ -78,19 +86,12 @@
         </div>
       </div>
     </div>
-    <b-popover :target="() => $refs.passwordHelper" triggers="hover">
-      <h6>{{ $t('password.policy.title') }}</h6>
-      <div>{{ $t('password.policy.header') }}</div>
-      <ul>
-        <li v-for="(item, index) in $tm('password.policy.items')" :key="index">{{ item }}</li>
-      </ul>
-    </b-popover>
     <SuccessAlert v-if="profile.id" top="0" style="z-index: 1031" ref="userCreated">{{ $t('admin.users.userCreatedMessage', [profile.id]) }}</SuccessAlert>
   </div>
 </template>
 
 <script>
-import { AdminService } from '@/services.js'
+import { AdminService, SetupService } from '@/services.js'
 import { notEmpty, same, isValidEmail } from '@/components/admin/utils.js'
 import { SuccessAlert } from '@cib/common-frontend'
 
@@ -105,10 +106,36 @@ export default {
       showPassword: false,
       showPassRepeat: false,
       passwordPolicyError: false,
-      userIdError: false
+      userIdError: false,
+      passwordValid: null,
+      passwordRules: []
+    }
+  },
+  computed: {
+    invalidPasswordRules() {
+      return (this.passwordRules ).filter(item => {
+        return item && typeof item === 'object' && item.valid === false
+      })
     }
   },
   methods: {
+    resetPasswordValidation: function () {
+      this.passwordValid = null
+      this.passwordRules = []
+    },
+    validatePassword: function () {
+      if (notEmpty(this.credentials.password)) {
+        SetupService.validatePasswordPolicy(this.credentials.password, this.profile).then((response) => {
+          this.passwordValid = response.data.valid
+          this.passwordRules = response.data.rules
+        }, error => {
+          const data = error.response.data
+          if (data && data.type === 'PasswordPolicyException') {
+            this.passwordPolicyError = true
+          }
+        })
+      }
+    },
     fieldType: function(showPass) {
       if (showPass)
         return 'text'
diff --git a/frontend/src/components/admin/ProfileUser.vue b/frontend/src/components/admin/ProfileUser.vue
index eed3232b4..7daba1c23 100644
--- a/frontend/src/components/admin/ProfileUser.vue
+++ b/frontend/src/components/admin/ProfileUser.vue
@@ -61,7 +61,7 @@
                 </b-form-group>
                 <b-form-group :label="$t('admin.users.lastName') + '*'" label-cols-sm="6" label-cols-md="6" label-cols-lg="4" label-align-sm="left" label-class="pb-4"
                   :invalid-feedback="$t('errors.invalid')">
-                  <b-form-input v-model="user.lastName"  @update:modelValue="dirty=true"
+                  <b-form-input v-model="user.lastName"  @update:modelValue="dirty=true" 
                     :state="notEmpty(user.lastName)" :readonly="!$root.config.userEditable || !editMode" required></b-form-input>
                 </b-form-group>
                 <b-form-group :label="$t('admin.users.email')" label-cols-sm="6" label-cols-md="6" label-cols-lg="4" label-align-sm="left" label-class="pb-4"
@@ -76,22 +76,36 @@
           </div>
 
           <!-- Account Tab -->
-          <div v-else-if="selectedTab === 'account' && $root.config.userEditable" class="row pt-3 ps-4 pe-4">
+          <div v-else-if="selectedTab === 'account' && $root.config.userEditable && $root.config.userPasswordChangeEnabled" class="row pt-3 ps-4 pe-4">
             <ContentBlock
               :title="$t('password.recover.changePassword')"
               class="col-lg-6 col-md-8 col-sm-12">
               <b-form-group v-if="$root.config.userPasswordChangeEnabled" labels-cols-lg="4" label-size="lg" label-class="fw-bold pt-0 pb-4" class="m-0">
                 <b-form-group :label="$t('password.recover.currentUserPassword') + '*'" label-cols-sm="4"
                   label-align-sm="left" label-class="pb-4" :invalid-feedback="$t('errors.invalid')">
-                    <b-form-input type="password" v-model="credentials.authenticatedUserPassword"></b-form-input>
+                  <SecureInput v-model="credentials.authenticatedUserPassword"></SecureInput>
                 </b-form-group>
                 <b-form-group :label="$t('password.recover.newPassword') + '*'" label-cols-sm="4"
-                  label-align-sm="left" label-class="pb-4" :invalid-feedback="$t('errors.invalid')">
-                  <b-form-input type="password" v-model="credentials.password"></b-form-input>
+                label-align-sm="left" label-class="pb-4" :invalid-feedback="$t('errors.invalid')">
+                  <SecureInput v-model="credentials.password" @blur="validatePassword" @input="resetPasswordValidation"
+                    ref="newPasswordInput" :class="{'is-valid': passwordValid === true,'is-invalid': passwordValid === false}"></SecureInput>
+                  <div v-if="passwordValid === false" class="invalid-feedback d-block">
+                    <h6>{{ $t('password.policy.title') }}</h6>
+                    <div>{{ $t('password.policy.header') }}</div>
+                    <ul>
+
+                      <li v-for="(item, idx) in invalidPasswordRules" :key="idx">
+                        {{ $t('password.policy.items.' + item.placeholder, item.parameter) }}
+                      </li>
+                    </ul>
+                  </div>
                 </b-form-group>
                 <b-form-group :label="$t('password.recover.newPasswordRepeat') + '*'" label-cols-sm="4"
                   label-align-sm="left" label-class="pb-4" :invalid-feedback="$t('errors.invalid')">
-                  <b-form-input type="password" v-model="passwordRepeat"></b-form-input>
+                  <SecureInput v-model="passwordRepeat" :class="{
+                    'is-invalid': passwordRepeat && !same(credentials.password, passwordRepeat),
+                    'is-valid': passwordValid && same(credentials.password, passwordRepeat),
+                  }"></SecureInput>
                 </b-form-group>
                 <div class="float-end d-flex align-items-center">
                   <b-button type="submit" variant="secondary" @click="changePassword($event)">{{$t('password.recover.changePassword')}}</b-button>
@@ -236,13 +250,6 @@
 
       </div>
     </transition>
-    <b-popover :target="() => $refs.passwordHelper" triggers="hover">
-      <h6>{{ $t('password.policy.title') }}</h6>
-      <div>{{ $t('password.policy.header') }}</div>
-      <ul>
-        <li v-for="(item, index) in $tm('password.policy.items')" :key="index">{{ item }}</li>
-      </ul>
-    </b-popover>
     <SuccessAlert ref="emailSent"> {{ $t('password.recover.emailSent') }} </SuccessAlert>
     <SuccessAlert ref="updateProfile" top="0" style="z-index: 1031">{{ $t('admin.users.updateProfileMessage', [user.id]) }}</SuccessAlert>
     <SuccessAlert ref="updatePassword" top="0" style="z-index: 1031">{{ $t('admin.users.updatePasswordMessage', [user.id]) }}</SuccessAlert>
@@ -253,16 +260,17 @@
 </template>
 
 <script>
-import { AdminService } from '@/services.js'
+import { AdminService, SetupService } from '@/services.js'
 import { notEmpty, same } from '@/components/admin/utils.js'
-import { SidebarsFlow, FlowTable, SuccessAlert, CIBForm, ContentBlock }  from '@cib/common-frontend'
+import { SidebarsFlow, FlowTable, SuccessAlert, CIBForm, ContentBlock } from '@cib/common-frontend'
 import ProfilePreferencesTab from '@/components/admin/ProfilePreferencesTab.vue'
 import CellActionButton from '@/components/common-components/CellActionButton.vue'
 import { mapActions, mapGetters } from 'vuex'
+import SecureInput from '@/components/login/SecureInput.vue'
 
 export default {
   name: 'ProfileUser',
-  components: { SidebarsFlow, FlowTable, SuccessAlert, CIBForm, ProfilePreferencesTab, ContentBlock, CellActionButton },
+  components: { SidebarsFlow, FlowTable, SuccessAlert, CIBForm, ProfilePreferencesTab, ContentBlock, CellActionButton, SecureInput },
   inject: ['AuthService'],
   props: {
     editMode: {
@@ -274,7 +282,7 @@ export default {
   data: function () {
     return {
       leftOpen: true,
-      user: { id: null, firstName: null,  lastName: null, email: null, noInfo: true },
+      user: { id: null, firstName: null, lastName: null, email: null, noInfo: true },
       dirty: false,
       credentials: { authenticatedUserPassword: null, password: null },
       passwordRepeat: null,
@@ -285,7 +293,9 @@ export default {
       passwordPolicyError: false,
       passwordVisibility: { current: false, new: false, repeat: false },
       sendingEmail: false,
-      userTenants: []
+      userTenants: [],
+      passwordValid: null,
+      passwordRules: []
     }
   },
   watch: {
@@ -304,6 +314,11 @@ export default {
   },
   computed: {
     ...mapGetters(['tenants']),
+    invalidPasswordRules() {
+      return (this.passwordRules ).filter(item => {
+        return item && typeof item === 'object' && item.valid === false
+      })
+    },
     selectedTab() {
       const defaultTab = this.user.noInfo ? 'preferences' : 'profile'
       return this.$route.query.tab || defaultTab
@@ -380,9 +395,26 @@ export default {
     ...mapActions(['fetchTenants', 'getTenantsByUser', 'removeUserFromTenant', 'addUserToTenant']),
     loadUser: async function(userId) {
       return AdminService.findUsers({ id: userId }).then(response => {
-        this.user = response[0] || { id: userId, firstName: null,  lastName: null, email: null, noInfo: true }
+        this.user = response[0] || { id: userId, firstName: null, lastName: null, email: null, noInfo: true }
       })
     },
+    resetPasswordValidation: function () {
+      this.passwordValid = null,
+      this.passwordRules = []
+    },
+    validatePassword: function () {
+      if (notEmpty(this.credentials.password)) {
+        SetupService.validatePasswordPolicy(this.credentials.password, this.user).then((response) => {
+          this.passwordValid = response.data.valid
+          this.passwordRules = response.data.rules
+        }, error => {
+          const data = error.response.data
+          if (data && data.type === 'PasswordPolicyException') {
+            this.passwordPolicyError = true
+          }
+        })
+      }
+    },
     loadGroups: function(userId) {
       AdminService.findGroups({ member: userId }).then(response => {
         this.groups = response
@@ -407,14 +439,14 @@ export default {
       if (same(this.credentials.password, this.passwordRepeat) && notEmpty(this.credentials.authenticatedUserPassword)) {
         AdminService.updateUserCredentials(this.user.id, this.credentials.password,
           this.credentials.authenticatedUserPassword).then(() => {
-          this.passwordPolicyError = false
-          this.$refs.updatePassword.show(2)
-        }, error => {
-          const data = error.response.data
-          if (data && data.type === 'PasswordPolicyException') {
-            this.passwordPolicyError = true
-          }
-        })
+            this.passwordPolicyError = false
+            this.$refs.updatePassword.show(2)
+          }, error => {
+            const data = error.response.data
+            if (data && data.type === 'PasswordPolicyException') {
+              this.passwordPolicyError = true
+            }
+          })
       }
     },
     deleteUser: function() {
diff --git a/frontend/src/components/login/SecureInput.vue b/frontend/src/components/login/SecureInput.vue
index 06180d3ec..3ce062c0b 100644
--- a/frontend/src/components/login/SecureInput.vue
+++ b/frontend/src/components/login/SecureInput.vue
@@ -18,7 +18,7 @@
 -->
 <template>
   <div class="position-relative">
-    <input id="password-input" ref="input" :value="modelValue" :placeholder="placeholder" :type="show ? 'text' : 'password'" class="form-control pe-5"
+    <input id="password-input" v-bind="$attrs" ref="input" :value="modelValue" :placeholder="placeholder" :type="show ? 'text' : 'password'" class="form-control pe-5"
       :class="{ 'is-invalid': hasError }"
       :disabled="disabled" :autocomplete="autocomplete" :aria-describedby="ariaDescribedby" :aria-invalid="hasError ? 'true' : 'false'" :aria-required="required" @input="handleInput">
     <b-button type="button" variant="link" size="sm" tabindex="0" @click="show = !show" @keydown.enter="show = !show" @keydown.space.prevent="show = !show" 
@@ -29,7 +29,12 @@
       style="cursor: pointer;"></b-button>
   </div>
 </template>
-
+<style scoped>
+.form-control.is-invalid,
+.form-control.is-valid {
+  background-image: none !important;
+}
+</style>
 <script>
 export default {
   name: 'SecureInput',
diff --git a/frontend/src/components/setup/InitialSetup.vue b/frontend/src/components/setup/InitialSetup.vue
index 7c7adad15..c0235d66e 100644
--- a/frontend/src/components/setup/InitialSetup.vue
+++ b/frontend/src/components/setup/InitialSetup.vue
@@ -23,7 +23,7 @@
         <h2 class="h4">{{ $t('setup.title') }}</h2>
         <p>{{ $t('setup.description') }}</p>
       </div>
-
+      
       <div class="container-fluid">
         <div class="row justify-content-center">
           <!-- Help Text - shows first on mobile -->
@@ -71,22 +71,6 @@
                     <div class="mb-3">
                       <label class="form-label" for="password">
                         {{ $t('admin.users.password') }} <span class="text-danger">*</span>
-                        <span
-                          v-if="passwordPolicyEnabled"
-                          ref="passwordHelper"
-                          class="mdi mdi-help-circle"
-                          :class="passwordPolicyError ? 'text-danger' : 'text-secondary'"
-                          style="cursor: pointer"
-                        ></span>
-                        <b-popover v-if="passwordPolicyEnabled" :target="() => $refs.passwordHelper" triggers="hover" placement="right">
-                          <h6>{{ $t('password.policy.title') }}</h6>
-                          <div>{{ $t('password.policy.header') }}</div>
-                          <ul class="mb-0 ps-3">
-                            <li v-for="(item, index) in $tm('password.policy.items')" :key="index">
-                              {{ item }}
-                            </li>
-                          </ul>
-                        </b-popover>
                       </label>
                       <div class="input-group">
                         <input
@@ -94,10 +78,9 @@
                           :type="showPassword ? 'text' : 'password'"
                           class="form-control"
                           v-model="credentials.password"
-                          :class="{
-                            'is-invalid': submitted && !notEmpty(credentials.password),
-                            'is-valid': notEmpty(credentials.password) && !passwordPolicyError,
-                          }"
+                          @blur="validatePassword"
+                          @input="resetPasswordValidation"
+                          :class="{'is-valid': passwordValid === true,'is-invalid': passwordValid === false}"
                           required
                         />
                         <button
@@ -108,6 +91,15 @@
                         >
                           <span :class="showPassword ? 'mdi mdi-eye-off' : 'mdi mdi-eye'"></span>
                         </button>
+                        <div v-if="passwordValid === false" class="invalid-feedback d-block">
+                          <h6>{{ $t('password.policy.title') }}</h6>
+                          <div>{{ $t('password.policy.header') }}</div>
+                          <ul>
+                            <li v-for="(item, idx) in invalidPasswordRules" :key="idx">
+                              {{ $t('password.policy.items.' + item.placeholder, item.parameter) }}
+                            </li>
+                          </ul>
+                        </div>
                       </div>
                       <div v-if="passwordPolicyError" class="text-danger small mt-1">
                         {{ $t('errors.PasswordPolicyException') }}
@@ -234,6 +226,8 @@ export default {
       userIdError: false,
       submitted: false,
       submitting: false,
+      passwordValid: null,
+      passwordRules: []
     }
   },
   computed: {
@@ -243,8 +237,30 @@ export default {
     engineName() {
       return localStorage.getItem(ENGINE_STORAGE_KEY) || 'default'
     },
+    invalidPasswordRules() {
+      return (this.passwordRules ).filter(item => {
+        return item && typeof item === 'object' && item.valid === false
+      })
+    }
   },
   methods: {
+    resetPasswordValidation: function () {
+      this.passwordValid = null
+      this.passwordRules = []
+    },
+    validatePassword: function () {
+      if (notEmpty(this.credentials.password)) {
+        SetupService.validatePasswordPolicy(this.credentials.password, this.profile).then((response) => {
+          this.passwordValid = response.data.valid
+          this.passwordRules = response.data.rules
+        }, error => {
+          const data = error.response.data
+          if (data && data.type === 'PasswordPolicyException') {
+            this.passwordPolicyError = true
+          }
+        })
+      }
+    },
     notEmpty(value) {
       return notEmpty(value)
     },
diff --git a/frontend/src/services.js b/frontend/src/services.js
index cade4653f..49788cf64 100644
--- a/frontend/src/services.js
+++ b/frontend/src/services.js
@@ -44,7 +44,7 @@ function createDocumentEndpointUrl(processInstanceId, variableName, authToken, c
   // Use base path from current location (removes hash). This reliably includes any deployment context path, both locally and in production.
   const basePath = window.location.href.replace(window.location.hash, '');
   const encodedContentType = encodeURIComponent(contentType);
-  
+
   return `${basePath}${getServicesBasePath()}/process/process-instance/${processInstanceId}/variables/${variableName}/data?token=${authToken}&contentType=${encodedContentType}&cacheBust=${cacheBust}`;
 }
 
@@ -86,7 +86,7 @@ const TaskService = {
   setAssignee: function(taskId, userId) { return axios.post(getServicesBasePath() + "/task/" + taskId + "/assignee/" + userId) },
   update: function(task) { return axios.put(getServicesBasePath() + "/task/update", task) },
   fetchActivityVariables: function(activityInstanceId) {
-	return axios.get(getServicesBasePath() + "/task/" + activityInstanceId + "/variables")
+    return axios.get(getServicesBasePath() + "/task/" + activityInstanceId + "/variables")
   },
   findTasksCountByFilter: function(filterId, filters) { return axios.post(getServicesBasePath() + "/task/by-filter/" + filterId + '/count', filters) },
   checkActiveTask: function(id, auth) {
@@ -125,13 +125,13 @@ const ProcessService = {
     return axios.get(url)
   },
   findProcessById: function(id, extraInfo = false) {
-	  return axios.get(getServicesBasePath() + "/process/process-definition-id/" + id + '?extraInfo=' + extraInfo)
+    return axios.get(getServicesBasePath() + "/process/process-definition-id/" + id + '?extraInfo=' + extraInfo)
   },
   findProcessesInstances: function(key) {
-	  return axios.get(getServicesBasePath() + "/process/instances/by-process-key/" + key)
+    return axios.get(getServicesBasePath() + "/process/instances/by-process-key/" + key)
   },
   findProcessInstance: function(processInstanceId) {
-	  return axios.get(getServicesBasePath() + "/process/process-instance/" + processInstanceId)
+    return axios.get(getServicesBasePath() + "/process/process-instance/" + processInstanceId)
   },
   findCurrentProcessesInstances: function(filter) {
     return axios.post(getServicesBasePath() + "/process/instances", filter)
@@ -140,12 +140,12 @@ const ProcessService = {
     return axios.get(getServicesBasePath() + "/process/activity/by-process-instance/" + processInstanceId)
   },
   findCalledProcessDefinitions: function(processDefinitionId) {
-	  return axios.get(getServicesBasePath() + "/process/called-process-definitions/" + processDefinitionId)
+    return axios.get(getServicesBasePath() + "/process/called-process-definitions/" + processDefinitionId)
   },
   fetchDiagram: function(processId) { return axios.get(getServicesBasePath() + "/process/" + processId + "/diagram") },
   startProcess: function(key, tenantId, locale) {
     let url = `${getServicesBasePath()}/process/${key}/start`
-    if (tenantId)  url += `?tenantId=${tenantId}`
+    if (tenantId) url += `?tenantId=${tenantId}`
     return axios.post(url, {
       variables: {
         _locale: { value: locale, type: String }
@@ -189,7 +189,7 @@ const ProcessService = {
     })
   },
   findDeployment: function(deploymentId) {
-	return axios.get(getServicesBasePath() + "/process/deployments/" + deploymentId)
+    return axios.get(getServicesBasePath() + "/process/deployments/" + deploymentId)
   },
   findDeploymentResources: function(deploymentId) {
     return axios.get(getServicesBasePath() + "/process/deployments/" + deploymentId + "/resources")
@@ -216,10 +216,10 @@ const ProcessService = {
   fetchChatComments: function(processInstanceId, processDefinitionKey, deserialize) {
     return axios.get(getServicesBasePath() + '/process/process-instance/' + processInstanceId + '/chat-comments',
       { params: {
-        deserialize: deserialize,
-        processDefinitionKey: processDefinitionKey
-      }
-    })
+          deserialize: deserialize,
+          processDefinitionKey: processDefinitionKey
+        }
+      })
   },
   fetchStatusDataset: function(processInstanceId, processDefinitionKey, deserialize) {
     return axios.get(getServicesBasePath() + '/process/process-instance/' + processInstanceId + '/status-dataset', {
@@ -303,8 +303,8 @@ const AdminService = {
   updateUserProfile: function (userId, user) { return axios.put(getServicesBasePath() + "/admin/user/" + userId + "/profile", user) },
   updateUserCredentials: function (userId, password, authenticatedUserPassword) {
     return axios.put(getServicesBasePath() + "/admin/user/" + userId + "/credentials", {
-        password: password,
-        authenticatedUserPassword: authenticatedUserPassword
+      password: password,
+      authenticatedUserPassword: authenticatedUserPassword
     })
   },
   deleteUser: function (userId) { return axios.delete(getServicesBasePath() + "/admin/user/" + userId) },
@@ -326,9 +326,9 @@ const AdminService = {
     })
   },
   createAuthorization: function (authorization) { return axios.post(getServicesBasePath() + "/admin/authorization/create", authorization) },
-  updateAuthorization: function (authorizationId, authorization)
-    { return axios.put(getServicesBasePath() + "/admin/authorization/" + authorizationId, authorization) },
-  deleteAuthorization: function (authorizationId) { return axios.delete(getServicesBasePath() + "/admin/authorization/" + authorizationId) }
+  updateAuthorization: function (authorizationId, authorization) { return axios.put(getServicesBasePath() + "/admin/authorization/" + authorizationId, authorization) },
+  deleteAuthorization: function (authorizationId)
+    { return axios.delete(getServicesBasePath() + "/admin/authorization/" + authorizationId) }
 
 }
 
@@ -422,8 +422,8 @@ const HistoryService = {
   findActivitiesProcessDefinitionHistory: function(processDefinitionId, params) {
     return axios.get(getServicesBasePath() + "/process-history/activity/by-process-definition/" + processDefinitionId, { params })
   },
-  findActivitiesInstancesHistoryWithFilter(filter){
-	  return axios.get(getServicesBasePath() + "/process-history/activity", { params: filter })
+  findActivitiesInstancesHistoryWithFilter(filter) {
+    return axios.get(getServicesBasePath() + "/process-history/activity", { params: filter })
   },
   fetchProcessInstanceVariablesHistory: function(processInstanceId, filter) {
     return axios.get(getServicesBasePath() + "/process-history/instance/by-process-instance/" + processInstanceId + "/variables",
@@ -504,16 +504,16 @@ const IncidentService = {
 }
 
 const AuthService = {
-  fetchAuths: function() {return axios.get(getServicesBasePath() + "/auth/authorizations") },
+  fetchAuths: function() { return axios.get(getServicesBasePath() + "/auth/authorizations") },
   passwordRecover: function(data) { return axios.post(getServicesBasePath() + "/auth/password-recover", data) },
   passwordRecoverCheck: function(recoverToken) { return axios.get(getServicesBasePath() + "/auth/password-recover-check",
-    { headers: { authorization: recoverToken } }
-  ) },
+      { headers: { authorization: recoverToken } }
+    ) },
   passwordRecoverUpdatePassword: function(userId, password, authenticatedUserPassword, recoverToken) {
     return axios.put(getServicesBasePath() + "/auth/password-recovery-update-password/" + userId,
-    { password: password, authenticatedUserPassword: authenticatedUserPassword },
-    { headers: { authorization: recoverToken } }
-  ) },
+      { password: password, authenticatedUserPassword: authenticatedUserPassword },
+      { headers: { authorization: recoverToken } }
+    ) },
   login: function(params, remember) {
     const engineName = localStorage.getItem(ENGINE_STORAGE_KEY)
     const headers = engineName ? { 'X-Process-Engine': engineName } : {}
@@ -551,7 +551,7 @@ const FormsService = {
     return axios.post(getServicesBasePath() + '/process/' + processDefinitionId + '/submit-startform-variables', formResult)
   },
   downloadFiles: function(processInstanceId, documentsList) {
-    return axios.post(getServicesBasePath() + '/task/' + processInstanceId + '/download', documentsList, { responseType: 'blob' } )
+    return axios.post(getServicesBasePath() + '/task/' + processInstanceId + '/download', documentsList, { responseType: 'blob' })
   },
   downloadFile: function(processInstanceId, fileVariable) {
     return axios.get(getServicesBasePath() + '/task/' + processInstanceId + '/variable/download/' + fileVariable, { responseType: 'blob' })
@@ -586,11 +586,11 @@ const FormsService = {
 
 const TemplateService = {
   getTemplate: function(element, taskId, locale, token) {
-	return axios.get(getServicesBasePath() + '/template/' + element + '/' + taskId + '?locale=' + locale, {
-	    headers: {
+    return axios.get(getServicesBasePath() + '/template/' + element + '/' + taskId + '?locale=' + locale, {
+      headers: {
         Authorization: `${token}`
-	    }
-	  })
+      }
+    })
   }
 }
 
@@ -825,9 +825,19 @@ const SetupService = {
     const engineName = localStorage.getItem(ENGINE_STORAGE_KEY)
     const headers = engineName ? { 'X-Process-Engine': engineName } : {}
     return axios.create().post(getServicesBasePath() + '/setup/user', user, { headers })
+  },
+  validatePasswordPolicy(password, profile) {
+    const engineName = localStorage.getItem(ENGINE_STORAGE_KEY)
+    const headers = engineName ? { 'X-Process-Engine': engineName } : {}
+    const body = {
+      password: password,
+      profile: profile
+    }
+    return axios.create().post(getServicesBasePath() + '/setup/validate-password', body, { headers })
   }
 }
-
-export { TaskService, FilterService, ProcessService, VariableInstanceService, HistoricVariableInstanceService, AdminService, JobService, JobDefinitionService, SystemService,
+export {
+  TaskService, FilterService, ProcessService, VariableInstanceService, HistoricVariableInstanceService, AdminService, JobService, JobDefinitionService, SystemService,
   HistoryService, IncidentService, AuthService, InfoService, FormsService, TemplateService, DecisionService,
-  AnalyticsService, BatchService, TenantService, ExternalTaskService, DeploymentService, EngineService, SetupService, getServicesBasePath, setServicesBasePath, createDocumentEndpointUrl }
+  AnalyticsService, BatchService, TenantService, ExternalTaskService, DeploymentService, EngineService, SetupService, getServicesBasePath, setServicesBasePath, createDocumentEndpointUrl
+}