diff --git a/initial-configs/passwords/chris b/initial-configs/passwords/chris
new file mode 100644
index 0000000..982bc88
--- /dev/null
+++ b/initial-configs/passwords/chris
@@ -0,0 +1 @@
+$6$MCVd.EUOYYB0A1eS$S1/gSfAq1c2dBCofvJp9RtW.o5mLi78h0Y39LABIeIauPRjlEny/1R5aXEA7uPrZ3TPxhnYOYxTdbCi0imFZp.
diff --git a/system/users.nix b/system/users.nix
index 76d3bd9..2dade7d 100644
--- a/system/users.nix
+++ b/system/users.nix
@@ -4,7 +4,7 @@
     users.users.chris = {
         uid = 1000;
         isNormalUser = true;
-        initialPassword = "changeme123";
+        hashedPasswordFile = "/persist/passwords/chris";
         shell = pkgs.zsh;
         extraGroups = [
             "chris"
@@ -13,4 +13,20 @@
             "docker"
         ];
     };
+    system.activationScripts = {
+        setupInitialPassword = {
+            supportsDryRun = true;
+            text = ''
+                # Ensure the directory exists
+                mkdir -p /persist/passwords
+
+                # Copy the initial hash if the file is missing
+                if [ ! -f /persist/passwords/chris ]; then
+                    cp ${../initial-configs/passwords/chris} /persist/passwords/chris
+                    chmod 600 /persist/passwords/chris
+                    chown root:root /persist/passwords/chris
+                fi
+            '';
+        };
+    };
 }