diff --git a/config/default.js b/config/default.js
index 844265679..79dfa5aae 100755
--- a/config/default.js
+++ b/config/default.js
@@ -37,6 +37,8 @@ module.exports = {
 	auth: {
 		login: true,
 		signup: true,
+		usernameLength: [2, 24],
+		usernamePattern: /^[a-zA-Z0-9_-]$/,
 	},
 	exclude: {
 		channels: [
diff --git a/src/auth.js b/src/auth.js
index 6220b1802..7dadf8c96 100755
--- a/src/auth.js
+++ b/src/auth.js
@@ -26,7 +26,7 @@ async function login(credentials) {
 		throw new HttpError('Authentication is disabled', 405);
 	}
 
-	const user = await fetchUser(credentials.username, true);
+	const user = await fetchUser(credentials.username.trim(), true);
 
 	if (!user) {
 		throw new HttpError('Username or password incorrect', 401);
@@ -46,10 +46,24 @@ async function signup(credentials) {
 		throw new HttpError('Authentication is disabled', 405);
 	}
 
-	if (!credentials.username) {
+	const curatedUsername = credentials.username.trim();
+
+	if (!curatedUsername) {
 		throw new HttpError('Username required', 400);
 	}
 
+	if (curatedUsername.length < config.auth.usernameLength[0]) {
+		throw new HttpError('Username is too short', 400);
+	}
+
+	if (curatedUsername.length > config.auth.usernameLength[1]) {
+		throw new HttpError('Username is too long', 400);
+	}
+
+	if (!config.auth.usernamePattern.test(curatedUsername)) {
+		throw new HttpError('Username contains invalid characters', 400);
+	}
+
 	if (!credentials.email) {
 		throw new HttpError('E-mail required', 400);
 	}
@@ -59,7 +73,7 @@ async function signup(credentials) {
 	}
 
 	const existingUser = await knex('users')
-		.where('username', credentials.username)
+		.where('username', curatedUsername)
 		.orWhere('email', credentials.email)
 		.first();
 
@@ -73,7 +87,7 @@ async function signup(credentials) {
 
 	const [userId] = await knex('users')
 		.insert({
-			username: credentials.username,
+			username: curatedUsername,
 			email: credentials.email,
 			password: storedPassword,
 		})
diff --git a/src/tools/stashes-load.js b/src/tools/stashes-load.js
index 731f32c50..e915a7be2 100644
--- a/src/tools/stashes-load.js
+++ b/src/tools/stashes-load.js
@@ -120,7 +120,7 @@ async function load() {
 
 		const user = await knex('users')
 			.select('id')
-			.where('username', stash.username)
+			.where('username', stash.username.trim())
 			.first();
 
 		if (!user) {