diff --git a/board/common/overlay/etc/init.d/S00datapart b/board/common/overlay/etc/init.d/S00datapart
index d8da86778b..603bc6fd7b 100755
--- a/board/common/overlay/etc/init.d/S00datapart
+++ b/board/common/overlay/etc/init.d/S00datapart
@@ -51,6 +51,10 @@ case "$1" in
         touch /data/etc/adjtime
         sync
         msg_done
+        
+        msg_begin "Setting empty root password"
+        PASSWORD="" adminpasswd
+        msg_done
 
         # mount other partitions depending on data
         mount -T /etc/fstab.disk -a
diff --git a/board/common/overlay/etc/init.d/S21passwd b/board/common/overlay/etc/init.d/S21passwd
deleted file mode 100755
index 542aaecc1d..0000000000
--- a/board/common/overlay/etc/init.d/S21passwd
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-
-test -n "$os_version" || source /etc/init.d/base
-
-case "$1" in
-    start)
-        # make sure root and admin users exist in shadow file
-        touch /data/etc/shadow
-        chmod go-rwx /data/etc/shadow
-        if ! grep root /data/etc/shadow &>/dev/null; then
-            echo 'root::::::::' >> /data/etc/shadow
-        fi
-        if ! grep admin /data/etc/shadow &>/dev/null; then
-            echo 'admin::::::::' >> /data/etc/shadow
-        fi
-
-        # remove shadow backups
-        rm -f /data/etc/shadow+
-        rm -f /data/etc/shadow-
-
-        if [ -x /etc/init.d/adminpw ]; then
-            # set root and admin passwords (admin is just an alias for root)
-            password=$(/etc/init.d/adminpw)
-            msg_begin "Setting root password"
-
-            echo -en "$password\n$password\n" | passwd &>/dev/null # root
-            echo -en "$password\n$password\n" | passwd admin &>/dev/null # admin
-            
-            sed -r -i 's/root:([^:]+):[[:digit:]]+:/root:\1::/' /data/etc/shadow # removes pwd expiration
-            sed -r -i 's/admin:([^:]+):[[:digit:]]+:/admin:\1::/' /data/etc/shadow # removes pwd expiration
-            msg_done
-        fi
-
-        sync
-
-        ;;
-
-    stop)
-        true
-        ;;
-
-    *)
-        echo "Usage: $0 {start}"
-        exit 1
-esac
-
-exit $?
-
diff --git a/board/common/overlay/etc/init.d/adminpw b/board/common/overlay/etc/init.d/adminpw
deleted file mode 100755
index 2dbbc137ca..0000000000
--- a/board/common/overlay/etc/init.d/adminpw
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/bash
-
-# echo your admin password here
-
diff --git a/board/common/overlay/usr/sbin/adminpasswd b/board/common/overlay/usr/sbin/adminpasswd
new file mode 100755
index 0000000000..d259d2edbe
--- /dev/null
+++ b/board/common/overlay/usr/sbin/adminpasswd
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# we verify the presence of the PASSWORD variable using env,
+# as it can also have an empty string value
+if ! env | grep PASSWORD &>/dev/null; then
+    echo "You must set the PASSWORD environment variable."
+    exit 1
+fi
+
+# make sure root and admin users exist in shadow file
+touch /data/etc/shadow
+chmod go-rwx /data/etc/shadow
+if ! grep root /data/etc/shadow &>/dev/null; then
+    echo 'root::::::::' >> /data/etc/shadow
+fi
+if ! grep admin /data/etc/shadow &>/dev/null; then
+    echo 'admin::::::::' >> /data/etc/shadow
+fi
+
+# remove shadow backups
+rm -f /data/etc/shadow+
+rm -f /data/etc/shadow-
+
+# set root and admin passwords (admin is just an alias for root)
+
+echo -en "$PASSWORD\n$PASSWORD\n" | passwd &>/dev/null # root
+echo -en "$PASSWORD\n$PASSWORD\n" | passwd admin &>/dev/null # admin
+
+sed -r -i 's/root:([^:]+):[[:digit:]]+:/root:\1::/' /data/etc/shadow # removes pwd expiration
+sed -r -i 's/admin:([^:]+):[[:digit:]]+:/admin:\1::/' /data/etc/shadow # removes pwd expiration
+