diff --git a/clanModules/flake-module.nix b/clanModules/flake-module.nix
index 28ed8475..a5ef1b9c 100644
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -5,17 +5,18 @@
       imports = [ ./disk-layouts ];
     };
     borgbackup = ./borgbackup;
-    ergochat = ./ergochat;
     deltachat = ./deltachat;
+    ergochat = ./ergochat;
     localbackup = ./localbackup;
     localsend = ./localsend;
     matrix-synapse = ./matrix-synapse;
     moonlight = ./moonlight;
+    root-password = ./root-password;
     sshd = ./sshd;
     sunshine = ./sunshine;
     syncthing = ./syncthing;
-    root-password = ./root-password;
     thelounge = ./thelounge;
+    user-password = ./root-password;
     xfce = ./xfce;
     zt-tcp-relay = ./zt-tcp-relay;
   };
diff --git a/clanModules/user-password/README.md b/clanModules/user-password/README.md
new file mode 100644
index 00000000..fd87668c
--- /dev/null
+++ b/clanModules/user-password/README.md
@@ -0,0 +1,14 @@
+Automatically generates and configures a password for the specified user account.
+---
+
+If setting the option prompt to true, the user will be prompted to type in their desired password.
+
+After the system was installed/deployed the following command can be used to display the user-password:
+
+```bash
+clan secrets get {machine_name}-user-password
+```
+
+See also: [Facts / Secrets](../../getting-started/secrets.md)
+
+To regenerate the password, delete the password files in the clan directory and redeploy the machine.
diff --git a/clanModules/user-password/default.nix b/clanModules/user-password/default.nix
new file mode 100644
index 00000000..f16c3f56
--- /dev/null
+++ b/clanModules/user-password/default.nix
@@ -0,0 +1,49 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  options.clan.user-password = {
+    user = lib.mkOption {
+      type = lib.types.str;
+      example = "alice";
+      description = "The user the password should be generated for.";
+    };
+    prompt = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether the user should be prompted.";
+    };
+  };
+
+  config = {
+    users.mutableUsers = false;
+    users.users.${config.clan.user-password.user}.hashedPasswordFile =
+      config.clanCore.facts.services.user-password.secret.user-password-hash.path;
+    sops.secrets."${config.clanCore.machineName}-user-password-hash".neededForUsers = true;
+    clanCore.facts.services.user-password = {
+      secret.user-password = { };
+      secret.user-password-hash = { };
+      generator.prompt = (
+        lib.mkIf config.clan.user-password.prompt "Set the password for your $user: ${config.clan.user-password.user}.
+      You can autogenerate a password, if you leave this prompt blank."
+      );
+      generator.path = with pkgs; [
+        coreutils
+        xkcdpass
+        mkpasswd
+      ];
+      generator.script = ''
+        if [[ -n $prompt_value ]]; then
+          echo $prompt_value > $secrets/user-password
+        else
+          xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password
+        fi
+        cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash
+      '';
+    };
+  };
+}
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 3bcc6ebd..8b618d44 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -75,6 +75,7 @@ nav:
           - reference/clanModules/sunshine.md
           - reference/clanModules/syncthing.md
           - reference/clanModules/thelounge.md
+          - reference/clanModules/user-password.md
           - reference/clanModules/xfce.md
           - reference/clanModules/zt-tcp-relay.md
       - Clan Core: