diff --git a/opendj-packages/opendj-docker/Dockerfile b/opendj-packages/opendj-docker/Dockerfile
index 643769ce31..0ddc0d305b 100644
--- a/opendj-packages/opendj-docker/Dockerfile
+++ b/opendj-packages/opendj-docker/Dockerfile
@@ -8,7 +8,9 @@ ENV LDAPS_PORT=1636
 ENV ADMIN_PORT=4444
 ENV BASE_DN="dc=example,dc=com"
 ENV ROOT_USER_DN="cn=Directory Manager"
-ENV ROOT_PASSWORD="password"
+# ROOT_PASSWORD should be passed at runtime via: docker run -e ROOT_PASSWORD=...
+# or mount a Docker secret file to /run/secrets/root_password
+# Default value if not provided: "password"
 #ENV SECRET_VOLUME
 ENV OPENDJ_SSL_OPTIONS="--generateSelfSignedCertificate"
 #ENV MASTER_SERVER
diff --git a/opendj-packages/opendj-docker/Dockerfile-alpine b/opendj-packages/opendj-docker/Dockerfile-alpine
index 1a3ece3bc4..970455a34e 100644
--- a/opendj-packages/opendj-docker/Dockerfile-alpine
+++ b/opendj-packages/opendj-docker/Dockerfile-alpine
@@ -8,7 +8,9 @@ ENV LDAPS_PORT=1636
 ENV ADMIN_PORT=4444
 ENV BASE_DN="dc=example,dc=com"
 ENV ROOT_USER_DN="cn=Directory Manager"
-ENV ROOT_PASSWORD="password"
+# ROOT_PASSWORD should be passed at runtime via: docker run -e ROOT_PASSWORD=...
+# or mount a Docker secret file to /run/secrets/root_password
+# Default value if not provided: "password"
 #ENV SECRET_VOLUME
 ENV OPENDJ_SSL_OPTIONS="--generateSelfSignedCertificate"
 #ENV MASTER_SERVER
diff --git a/opendj-packages/opendj-docker/run.sh b/opendj-packages/opendj-docker/run.sh
index 4808e30a48..b602871cd3 100755
--- a/opendj-packages/opendj-docker/run.sh
+++ b/opendj-packages/opendj-docker/run.sh
@@ -28,8 +28,13 @@ echo "Instance data Directory is empty. Creating new DJ instance"
 export BASE_DN=${BASE_DN:-"dc=example,dc=com"}
 echo "BASE DN is ${BASE_DN}"
 
-export PASSWORD=${ROOT_PASSWORD:-password}
-echo "Password set to $PASSWORD"
+# Read ROOT_PASSWORD from Docker secret file if available, fall back to env var, then default
+if [ -f /run/secrets/root_password ]; then
+  export ROOT_PASSWORD=$(tr -d '\n\r' < /run/secrets/root_password)
+fi
+export ROOT_PASSWORD=${ROOT_PASSWORD:-password}
+export PASSWORD=${ROOT_PASSWORD}
+echo "Password is set"
 
 BOOTSTRAP=${BOOTSTRAP:-/opt/opendj/bootstrap/setup.sh}
 echo "Running $BOOTSTRAP"