diff --git a/plugins/generic-sessions/handlers.c b/plugins/generic-sessions/handlers.c
index bd00c2b4..108983cc 100644
--- a/plugins/generic-sessions/handlers.c
+++ b/plugins/generic-sessions/handlers.c
@@ -304,7 +304,8 @@ lwsgs_handler_change_password(struct per_vhost_data__gs *vhd, struct lws *wsi,
 			return 1;
 		}
 
-		strcpy(u.username, lws_spa_get_string(pss->spa, FGS_USERNAME));
+		strncpy(u.username, lws_spa_get_string(pss->spa, FGS_USERNAME), sizeof(u.username) - 1);
+		u.username[sizeof(u.username) - 1] = '\0';
 	}
 
 	/* does he want to delete his account? */