diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
index afcbd0615..c9e3b7d70 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
@@ -4,6 +4,7 @@ import lombok.Getter;
 import lombok.Setter;
 
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
 /**
@@ -16,6 +17,7 @@ public class UserForm {
 
     @NotNull
     @Size(min=6, max=20)
+    @Pattern(regexp = "[a-zA-Z0-9]*", message = "can only contain letters and digits")
     private String username;
     @NotNull
     @Size(min=6, max=10)