diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index 5d6e3afb7..6928a933f 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -11,12 +11,16 @@ class ApiUser < User
     }
   end
 
+  def self.min_password_length # Must precede .validates
+    6
+  end
+
   # TODO: should have max request limit per day?
   belongs_to :registrar
   has_many :certificates
 
   validates :username, :password, :registrar, :roles, presence: true
-  validates :password, length: { minimum: 6 }
+  validates :password, length: { minimum: min_password_length }
   validates :username, uniqueness: true
 
   # TODO: probably cache, because it's requested on every EPP
diff --git a/spec/models/api_user_spec.rb b/spec/models/api_user_spec.rb
index 4b8fd9c4e..20ac4afff 100644
--- a/spec/models/api_user_spec.rb
+++ b/spec/models/api_user_spec.rb
@@ -1,6 +1,6 @@
 require 'rails_helper'
 
-describe ApiUser do
+RSpec.describe ApiUser do
   context 'class methods' do
     before do
       Fabricate(:api_user, identity_code: '')
@@ -26,7 +26,7 @@ describe ApiUser do
       @api_user.valid?
       @api_user.errors.full_messages.should match_array([
         "Password Password is missing",
-        "Password is too short (minimum is 6 characters)",
+        "Password is too short (minimum is #{ApiUser.min_password_length} characters)",
         "Registrar Registrar is missing",
         "Username Username is missing",
         "Roles is missing"
@@ -68,4 +68,10 @@ describe ApiUser do
       end
     end
   end
+
+  describe '::min_password_length', db: false do
+    it 'returns minimum password length' do
+      expect(described_class.min_password_length).to eq(6)
+    end
+  end
 end