diff --git a/components/auth/onboarding-form.tsx b/components/auth/onboarding-form.tsx
index d5218eb..f08e84d 100644
--- a/components/auth/onboarding-form.tsx
+++ b/components/auth/onboarding-form.tsx
@@ -1,7 +1,7 @@
 "use client";
 
 import { useUser } from "@clerk/nextjs";
-import { AlertCircle } from "lucide-react";
+import { AlertCircle, Check, X } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useState } from "react";
 import { finishOnboarding } from "@/app/actions/_userActions";
@@ -20,30 +20,51 @@ import { cryptoService } from "@/lib/crypto";
 import { isErrorResponse, getErrorInfo } from "@/lib/query-utils";
 import { cn } from "@/lib/utils";
 
+const passwordSchema = z
+  .object({
+    password: z
+      .string()
+      .min(12, "At least 12 characters")
+      .regex(/[A-Z]/, "At least 1 uppercase letter (A–Z)")
+      .regex(/[a-z]/, "At least 1 lowercase letter (a–z)")
+      .regex(/\d/, "At least 1 number (0–9)")
+      .regex(
+        /[!@#$%^&*()_+\-]/,
+        "At least 1 special character (!@#$%^&*()_+-)"
+      ),
+    repeatPassword: z.string(),
+  })
+  .refine(data => data.password === data.repeatPassword, {
+    message: "Passwords do not match",
+    path: ["repeatPassword"],
+  });
+
+type PasswordFormValues = z.infer<typeof passwordSchema>;
+
 export function SignUpForm({
   className,
   ...props
 }: React.ComponentPropsWithoutRef<"div">) {
-  const [password, setPassword] = useState("");
-  const [repeatPassword, setRepeatPassword] = useState("");
   const [isLoading, setIsLoading] = useState(false);
   const [error, setError] = useState<string>("");
   const router = useRouter();
   const { user } = useUser();
 
-  const handleSignUp = async (e: React.FormEvent) => {
-    e.preventDefault();
+  const {
+    register,
+    handleSubmit,
+    formState: { errors, isValid },
+  } = useForm<PasswordFormValues>({
+    resolver: zodResolver(passwordSchema),
+    mode: "onChange",
+  });
+
+  const onSubmit = async (data: PasswordFormValues) => {
     setError("");
     setIsLoading(true);
-    if (password !== repeatPassword) {
-      setError("Passwords do not match");
-      setIsLoading(false);
-      return;
-    }
-
     try {
       const { publicKey, wrappedPrivateKey, salt, wrappedDefaultVaultKey } =
-        await cryptoService.onboarding(password);
+        await cryptoService.onboarding(data.password);
 
       const response = await finishOnboarding({
         salt,
@@ -52,22 +73,18 @@ export function SignUpForm({
         wrappedDefaultVaultKey,
       });
 
-      // Handle error responses
       if (isErrorResponse(response)) {
         const { error } = response;
         console.error(`[${error.code}] Onboarding failed: ${error.message}`);
-
         const errorMessage =
           error.code === "ONBOARDING_FAILED"
             ? "Failed to complete onboarding. Please try again."
             : error.code === "UNAUTHORIZED"
               ? "Authentication failed. Please sign in again."
               : error.message;
-
         setError(errorMessage);
         return;
       }
-
       await user?.reload();
       router.push("/");
     } catch (error) {
@@ -105,7 +122,7 @@ export function SignUpForm({
           </CardDescription>
         </CardHeader>
         <CardContent>
-          <form onSubmit={handleSignUp} className="space-y-4">
+          <form onSubmit={handleSubmit(onSubmit)} className="space-y-4">
             {error && (
               <div
                 className="rounded-md bg-red-50 p-3 text-sm text-red-500"
@@ -128,9 +145,13 @@ export function SignUpForm({
                   id="password"
                   type="password"
                   required
-                  value={password}
-                  onChange={e => setPassword(e.target.value)}
+                  {...register("password")}
                 />
+                {errors.password && (
+                  <div className="pt-1 text-xs text-red-600">
+                    {errors.password.message as string}
+                  </div>
+                )}
               </div>
               <div className="grid gap-2">
                 <div className="flex items-center">
@@ -142,11 +163,21 @@ export function SignUpForm({
                   id="repeat-password"
                   type="password"
                   required
-                  value={repeatPassword}
-                  onChange={e => setRepeatPassword(e.target.value)}
+                  {...register("repeatPassword")}
                 />
+                {errors.repeatPassword && (
+                  <div className="text-xs text-red-600 pt-1">
+                    {errors.repeatPassword.message as string}
+                  </div>
+                )}
               </div>
-              <Button type="submit" className="w-full" disabled={isLoading}>
+              <Button
+                type="submit"
+                className="w-full"
+                disabled={
+                  isLoading || !isValid
+                }
+              >
                 {isLoading
                   ? "Setting master password..."
                   : "Set master password"}
diff --git a/lib/crypto.ts b/lib/crypto.ts
index 263db1d..fc7dbc1 100644
--- a/lib/crypto.ts
+++ b/lib/crypto.ts
@@ -311,5 +311,3 @@ const BufferTransformer = {
     return btoa(binary);
   },
 };
-
-export const cryptoService = new CryptoService();
diff --git a/package-lock.json b/package-lock.json
index 8f71124..7a6771c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,6 +9,7 @@
       "version": "0.1.0",
       "dependencies": {
         "@clerk/nextjs": "^6.19.4",
+        "@hookform/resolvers": "^5.1.1",
         "@prisma/client": "^6.7.0",
         "@radix-ui/react-avatar": "^1.1.9",
         "@radix-ui/react-dialog": "^1.1.13",
@@ -26,8 +27,10 @@
         "next-themes": "^0.4.6",
         "react": "^19.0.0",
         "react-dom": "^19.0.0",
+        "react-hook-form": "^7.60.0",
         "sonner": "^2.0.3",
-        "tailwind-merge": "^3.3.0"
+        "tailwind-merge": "^3.3.0",
+        "zod": "^3.25.75"
       },
       "devDependencies": {
         "@eslint/eslintrc": "^3",
@@ -842,6 +845,18 @@
       "integrity": "sha512-MDWhGtE+eHw5JW7lq4qhc5yRLS11ERl1c7Z6Xd0a58DozHES6EnNNwUWbMiG4J9Cgj053Bhk8zvlhFYKVhULwg==",
       "license": "MIT"
     },
+    "node_modules/@hookform/resolvers": {
+      "version": "5.1.1",
+      "resolved": "https://registry.npmjs.org/@hookform/resolvers/-/resolvers-5.1.1.tgz",
+      "integrity": "sha512-J/NVING3LMAEvexJkyTLjruSm7aOFx7QX21pzkiJfMoNG0wl5aFEjLTl7ay7IQb9EWY6AkrBy7tHL2Alijpdcg==",
+      "license": "MIT",
+      "dependencies": {
+        "@standard-schema/utils": "^0.3.0"
+      },
+      "peerDependencies": {
+        "react-hook-form": "^7.55.0"
+      }
+    },
     "node_modules/@humanfs/core": {
       "version": "0.19.1",
       "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
@@ -2749,6 +2764,12 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@standard-schema/utils": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/@standard-schema/utils/-/utils-0.3.0.tgz",
+      "integrity": "sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g==",
+      "license": "MIT"
+    },
     "node_modules/@swc/counter": {
       "version": "0.1.3",
       "resolved": "https://registry.npmjs.org/@swc/counter/-/counter-0.1.3.tgz",
@@ -7921,6 +7942,22 @@
         "react": "^19.1.0"
       }
     },
+    "node_modules/react-hook-form": {
+      "version": "7.60.0",
+      "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.60.0.tgz",
+      "integrity": "sha512-SBrYOvMbDB7cV8ZfNpaiLcgjH/a1c7aK0lK+aNigpf4xWLO8q+o4tcvVurv3c4EOyzn/3dCsYt4GKD42VvJ/+A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/react-hook-form"
+      },
+      "peerDependencies": {
+        "react": "^16.8.0 || ^17 || ^18 || ^19"
+      }
+    },
     "node_modules/react-is": {
       "version": "16.13.1",
       "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz",
@@ -9446,10 +9483,9 @@
       }
     },
     "node_modules/zod": {
-      "version": "3.24.4",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.24.4.tgz",
-      "integrity": "sha512-OdqJE9UDRPwWsrHjLN2F8bPxvwJBK22EHLWtanu0LSYr5YqzsaaW3RMgmjwr8Rypg5k+meEJdSPXJZXE/yqOMg==",
-      "dev": true,
+      "version": "3.25.75",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.75.tgz",
+      "integrity": "sha512-OhpzAmVzabPOL6C3A3gpAifqr9MqihV/Msx3gor2b2kviCgcb+HM9SEOpMWwwNp9MRunWnhtAKUoo0AHhjyPPg==",
       "license": "MIT",
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
diff --git a/package.json b/package.json
index 975a572..a38766b 100644
--- a/package.json
+++ b/package.json
@@ -19,6 +19,7 @@
   },
   "dependencies": {
     "@clerk/nextjs": "^6.19.4",
+    "@hookform/resolvers": "^5.1.1",
     "@prisma/client": "^6.7.0",
     "@radix-ui/react-avatar": "^1.1.9",
     "@radix-ui/react-dialog": "^1.1.13",
@@ -36,8 +37,10 @@
     "next-themes": "^0.4.6",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
+    "react-hook-form": "^7.60.0",
     "sonner": "^2.0.3",
-    "tailwind-merge": "^3.3.0"
+    "tailwind-merge": "^3.3.0",
+    "zod": "^3.25.75"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3",