diff --git a/server/ente/user.go b/server/ente/user.go
index 9ab12f31a4..8b207712d9 100644
--- a/server/ente/user.go
+++ b/server/ente/user.go
@@ -10,6 +10,8 @@ const (
 	ChangeEmailOTTPurpose = "change"
 	SignUpOTTPurpose      = "signup"
 	LoginOTTPurpose       = "login"
+
+	ExpectedKDFStrength = 1073741824 * 4
 )
 
 // User represents a user in the system
@@ -88,6 +90,14 @@ type SetUserAttributesRequest struct {
 	KeyAttributes KeyAttributes `json:"keyAttributes" binding:"required"`
 }
 
+func (sk *SetUserAttributesRequest) Validate() error {
+	strength := sk.KeyAttributes.MemLimit * sk.KeyAttributes.OpsLimit
+	if strength != ExpectedKDFStrength {
+		return NewBadRequestWithMessage("Unexpected KDF strength")
+	}
+	return nil
+}
+
 // UpdateEmailMFA ..
 type UpdateEmailMFA struct {
 	IsEnabled *bool `json:"isEnabled" binding:"required"`
@@ -102,6 +112,14 @@ type UpdateKeysRequest struct {
 	OpsLimit           int    `json:"opsLimit" binding:"required"`
 }
 
+func (u *UpdateKeysRequest) Validate() error {
+	strength := u.MemLimit * u.OpsLimit
+	if strength != ExpectedKDFStrength {
+		return NewBadRequestWithMessage("Unexpected KDF strength")
+	}
+	return nil
+}
+
 type SetRecoveryKeyRequest struct {
 	MasterKeyEncryptedWithRecoveryKey string `json:"masterKeyEncryptedWithRecoveryKey"`
 	MasterKeyDecryptionNonce          string `json:"masterKeyDecryptionNonce"`
diff --git a/server/pkg/api/user.go b/server/pkg/api/user.go
index bfdd36ab7b..c62613ccb7 100644
--- a/server/pkg/api/user.go
+++ b/server/pkg/api/user.go
@@ -82,6 +82,10 @@ func (h *UserHandler) SetAttributes(c *gin.Context) {
 		handler.Error(c, stacktrace.Propagate(err, ""))
 		return
 	}
+	if err := request.Validate(); err != nil {
+		handler.Error(c, stacktrace.Propagate(err, ""))
+		return
+	}
 	err := h.UserController.SetAttributes(userID, request)
 	if err != nil {
 		handler.Error(c, stacktrace.Propagate(err, ""))
diff --git a/server/pkg/repo/srp.go b/server/pkg/repo/srp.go
index 9a8480e6ac..efb7c3bea2 100644
--- a/server/pkg/repo/srp.go
+++ b/server/pkg/repo/srp.go
@@ -135,6 +135,9 @@ func (repo *UserAuthRepository) InsertOrUpdateSRPAuthAndKeyAttr(ctx context.Cont
 		return stacktrace.Propagate(err, "")
 	}
 	updateKeyAttr := *req.UpdateAttributes
+	if validErr := updateKeyAttr.Validate(); validErr != nil {
+		return stacktrace.Propagate(validErr, "")
+	}
 	_, err = tx.ExecContext(ctx, `UPDATE key_attributes SET kek_salt = $1, encrypted_key = $2, key_decryption_nonce = $3, mem_limit = $4, ops_limit = $5 WHERE user_id = $6`,
 		updateKeyAttr.KEKSalt, updateKeyAttr.EncryptedKey, updateKeyAttr.KeyDecryptionNonce, updateKeyAttr.MemLimit, updateKeyAttr.OpsLimit, userID)
 	if err != nil {