diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index f632614..2f53546 100755
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -707,9 +707,9 @@ main() {
     redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
 
     if [[ "$password_file" != 'null' ]] && [[ "$password_file" != '""' ]]; then
-      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$(cat $password_file)"
+      LLDAP_USER_PASSWORD="$(cat $password_file)" "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id"
     elif [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
-      "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password"
+      LLDAP_USER_PASSWORD="$password" "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id"
     fi
 
     # Process custom attributes
diff --git a/set-password/src/main.rs b/set-password/src/main.rs
index 95099a3..5f74f74 100644
--- a/set-password/src/main.rs
+++ b/set-password/src/main.rs
@@ -1,3 +1,5 @@
+use std::env;
+
 use anyhow::{Context, Result, bail, ensure};
 use clap::Parser;
 use lldap_auth::{opaque, registration};
@@ -27,9 +29,9 @@ pub struct CliOpts {
     #[clap(short, long)]
     pub username: String,
 
-    /// New password for the user.
+    /// New password for the user. Can also be passed as the environment variable LLDAP_USER_PASSWORD.
     #[clap(short, long)]
-    pub password: String,
+    pub password: Option<String>,
 
     /// Bypass password requirements such as minimum length. Unsafe.
     #[clap(long)]
@@ -100,8 +102,14 @@ pub fn register_finish(
 
 fn main() -> Result<()> {
     let opts = CliOpts::parse();
+
+    let password = match opts.password {
+        Some(v) => v,
+        None => env::var("LLDAP_USER_PASSWORD").unwrap_or_default(),
+    };
+
     ensure!(
-        opts.bypass_password_policy || opts.password.len() >= 8,
+        opts.bypass_password_policy || password.len() >= 8,
         "New password is too short, expected at least 8 characters"
     );
     ensure!(
@@ -118,7 +126,7 @@ fn main() -> Result<()> {
 
     let mut rng = rand::rngs::OsRng;
     let registration_start_request =
-        opaque::client::registration::start_registration(opts.password.as_bytes(), &mut rng)
+        opaque::client::registration::start_registration(password.as_bytes(), &mut rng)
             .context("Could not initiate password change")?;
     let start_request = registration::ClientRegistrationStartRequest {
         username: opts.username.clone().into(),