different password validation on create and on update

I've got a model Officer that relies on password validation in all
cases, but I need it to validate the password at different times. For
on create, I want to verify that the password and password
confirmation exists at all times. For update, want to make it
possible for providing password optional, and only when the password
is provided, to make sure it matches the password confirmation and the
within a certain length (such as when calling method
update_attributes).

The best ways I see it right now is to define either
before_validation_on_create, after_validation_on_create, or
before_create for method new, and define either
before_validation_on_update, after_validation_on_update, or
before_update for method update_attributes. It's worth noting that
Officer extends off of Person, which has it's own validations to do.

I have several questions about this. First, which function should I
define for validating create and update? What are the pros and cons
on each one?
I've also noticed that I cannot use validate_length_of and other
helper methods inside these, and wondered why I'm not allowed to.
Does this mean I have to make my own validation?
If I do have to make my own validations within these methods, I will
have to verify that the pseudo-parameters :password
and :password_confirmation exists. Do I have to call attr_accessor on
either :password, :password_confirmation, or both in this case?

Many thanks in advance!

P.S. Currently, my Officer and Person model looks like this:

I tried this:

I tried this:

I tried this:

Taro, 3 tips for validations:

(1) Have a look at these customized validation methods to help make
validation code smaller and more readable for many scenarios:

http://www.railsdev.ws/blog/11/custom-validations-in-rails/

(2) To validate a specific input only when it is not empty, use an
:if => Proc.new technique. In my case, I use this for an email address
like this:

validates_as_email :userEmail,
                    :if => Proc.new { |PrivilegedUser|
                           PrivilegedUser.userEmail.length > 0 }

where :userEmail is the HTML input, and PrivilegedUser is the name
of the class.

(3) For passwords, and other validations that require some custom logic,
add a "validate" method to your class. ActiveRecord will call this
automatically. Let's assume your HTML inputs are pswd and verify_pswd:

def validate

   # this disallows empty values if the record is new

   if self.new_record? && (@pswd.blank? || @verify_pswd.blank?)
     self.errors.add(:pswd, 'Password cannot be empty.')
   end

end

There are several waysto slice this as there are a few validation
callbacks, so have a look here to see which one best suits how
you prefer to organize your logic:
http://api.rubyonrails.org/classes/ActiveRecord/Callbacks.html

def validate

# this disallows empty values if the record is new

if self.new_record? && (@pswd.blank? || @verify_pswd.blank?)
self.errors.add(:pswd, 'Password cannot be empty.')
end

end

THIS is what I was looking for. The new_record? method! Thanks you
so much!

By the way, I apologize for the triple post. They happened
accidentally by the magic of F5 :-P.