diff --git a/src/user/dto/update-password.dto.ts b/src/user/dto/update-password.dto.ts
index cf3d762..51c0bb0 100644
--- a/src/user/dto/update-password.dto.ts
+++ b/src/user/dto/update-password.dto.ts
@@ -1,4 +1,4 @@
-import { IsNotEmpty, IsOptional } from 'class-validator';
+import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
 
 import { IsPassword } from 'src/common/validate';
 
@@ -7,7 +7,7 @@ export class UpdatePasswordDto {
    * 旧密码
    */
   @IsOptional()
-  @IsPassword()
+  @IsString()
   oldPassword?: string;
 
   /**
diff --git a/test/user.e2e-spec.ts b/test/user.e2e-spec.ts
index 3b25eb9..ecd1bb0 100644
--- a/test/user.e2e-spec.ts
+++ b/test/user.e2e-spec.ts
@@ -179,6 +179,20 @@ describe('User crud (e2e)', () => {
       .set('Accept', 'application/json')
       .expect(200);
 
+    // 旧密码不符合当前强度策略时仍可改密（legacy 用户）
+    const legacyUserDoc = { ...mockUser(), password: 'abc123' };
+    const legacyUser = await userService.create(legacyUserDoc);
+    await request(app.getHttpServer())
+      .post(`/users/${legacyUser.id}/@updatePassword`)
+      .send({
+        oldPassword: 'abc123',
+        newPassword: '^tR123456',
+      })
+      .set('Content-Type', 'application/json')
+      .set('x-api-key', auth.apiKey)
+      .set('Accept', 'application/json')
+      .expect(204);
+
     // username 不合法
     await request(app.getHttpServer())
       .patch(`/users/${user.id}`)