diff --git a/.gitignore b/.gitignore
index 8d58c319..19a8476c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ Utilities/disklabel/disklabel
 Utilities/EfiResTool/EfiResTool
 Utilities/macserial/macserial
 Utilities/icnspack/icnspack
+Utilities/ocpasswordgen/ocpasswordgen
 Utilities/ocvalidate/ocvalidate
 Utilities/LogoutHook/nvramdump
 Utilities/RsaTool/RsaTool
diff --git a/Include/Acidanthera/Library/OcCryptoLib.h b/Include/Acidanthera/Library/OcCryptoLib.h
index 5b0fc3a1..305e61da 100644
--- a/Include/Acidanthera/Library/OcCryptoLib.h
+++ b/Include/Acidanthera/Library/OcCryptoLib.h
@@ -74,6 +74,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 //
 #define CHACHA_IV_SIZE  12
 
+//
+// Maximum OpenCore password length.
+//
+#define OC_PASSWORD_MAX_LEN  32
+
 //
 // Possible RSA algorithm types supported by OcCryptoLib
 // for RSA digital signature verification
@@ -516,6 +521,26 @@ SecureZeroMem (
   IN  UINTN  Length
   );
 
+/**
+  Hash Password and Salt into a PasswordHash.  The used hash function is
+  SHA-512, thus the caller must ensure RefHash is at least 64 bytes in size.
+
+  @param[in] Password      The entered password to hash.
+  @param[in] PasswordSize  The size, in bytes, of Password.
+  @param[in] Salt          The cryptographic salt appended to Password on hash.
+  @param[in] SaltSize      The size, in bytes, of Salt.
+  @param[in] Hash          The SHA-512 hash of Password and Salt.
+
+**/
+VOID
+OcHashPasswordSha512 (
+  IN  CONST UINT8  *Password,
+  IN  UINT32       PasswordSize,
+  IN  CONST UINT8  *Salt,
+  IN  UINT32       SaltSize,
+  OUT UINT8        *Hash
+  );
+
 /**
   Verify Password and Salt against RefHash.  The used hash function is SHA-512,
   thus the caller must ensure RefHash is at least 64 bytes in size.
diff --git a/Library/OcBootManagementLib/OcBootManagementLib.c b/Library/OcBootManagementLib/OcBootManagementLib.c
index 02e0042c..0f452d77 100644
--- a/Library/OcBootManagementLib/OcBootManagementLib.c
+++ b/Library/OcBootManagementLib/OcBootManagementLib.c
@@ -337,7 +337,7 @@ OcShowSimplePasswordRequest (
 
   BOOLEAN              Result;
 
-  UINT8                Password[32];
+  UINT8                Password[OC_PASSWORD_MAX_LEN];
   UINT32               PwIndex;
 
   UINT8                Index;
diff --git a/Utilities/ocpasswordgen/Makefile b/Utilities/ocpasswordgen/Makefile
new file mode 100644
index 00000000..aa0d6f2c
--- /dev/null
+++ b/Utilities/ocpasswordgen/Makefile
@@ -0,0 +1,15 @@
+## @file
+# Copyright (c) 2020, Marvin Häuser. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause
+##
+
+PROJECT = ocpasswordgen
+PRODUCT = $(PROJECT)$(SUFFIX)
+OBJS    = $(PROJECT).o
+#
+# OcCryptoLib targets.
+#
+OBJS   += PasswordHash.o
+
+VPATH   = ../../Library/OcCryptoLib
+include ../../User/Makefile
diff --git a/Utilities/ocpasswordgen/ocpasswordgen b/Utilities/ocpasswordgen/ocpasswordgen
new file mode 100644
index 00000000..6b9db95f
Binary files /dev/null and b/Utilities/ocpasswordgen/ocpasswordgen differ
diff --git a/Utilities/ocpasswordgen/ocpasswordgen.c b/Utilities/ocpasswordgen/ocpasswordgen.c
new file mode 100644
index 00000000..3fefac09
--- /dev/null
+++ b/Utilities/ocpasswordgen/ocpasswordgen.c
@@ -0,0 +1,60 @@
+/** @file
+  Copyright (c) 2020, Marvin Häuser. All rights reserved.
+  SPDX-License-Identifier: BSD-3-Clause
+**/
+
+#include <stdio.h>
+
+#include <Base.h>
+#include <Library/OcCryptoLib.h>
+#include <UserPseudoRandom.h>
+
+int main(void) {
+  int    Char;
+  UINT8  Password[OC_PASSWORD_MAX_LEN];
+  UINT8  PasswordLen;
+  UINT32 Salt[4];
+  UINT8  Index;
+  UINT8  PasswordHash[SHA512_DIGEST_SIZE];
+
+  printf("Please enter your password: ");
+
+  for (PasswordLen = 0; PasswordLen < OC_PASSWORD_MAX_LEN; ++PasswordLen) {
+    Char = getchar();
+    if (Char == EOF || Char == '\n') {
+      break;
+    }
+
+    Password[PasswordLen] = (UINT8) Char;
+  }
+
+  for (Index = 0; Index < ARRAY_SIZE (Salt); ++Index) {
+    Salt[Index] = pseudo_random ();
+  }
+
+  OcHashPasswordSha512 (
+    Password,
+    PasswordLen,
+    (UINT8 *) Salt,
+    sizeof (Salt),
+    PasswordHash
+    );
+
+  printf ("\nPasswordHash: <");
+  for (Index = 0; Index < sizeof (PasswordHash); ++Index) {
+    printf ("%02x", PasswordHash[Index]);
+  }
+
+  printf ("> \nPasswordSalt: <");
+  for (Index = 0; Index < sizeof (Salt); ++Index) {
+    printf ("%02x", ((unsigned char *) Salt)[Index]);
+  }
+
+  printf ("> \n");
+
+  SecureZeroMem (Password, sizeof (Password));
+  SecureZeroMem (PasswordHash, sizeof (PasswordHash));
+  SecureZeroMem (&PasswordLen, sizeof (PasswordLen));
+
+  return 0;
+}
diff --git a/build_oc.tool b/build_oc.tool
index f79c58e0..e5b171d1 100755
--- a/build_oc.tool
+++ b/build_oc.tool
@@ -9,6 +9,7 @@ buildutil() {
     "disklabel"
     "icnspack"
     "macserial"
+    "ocpasswordgen"
     "ocvalidate"
     "TestBmf"
     "TestDiskImage"
@@ -219,6 +220,7 @@ package() {
   utils=(
     "acdtinfo"
     "macserial"
+    "ocpasswordgen"
     "ocvalidate"
     "disklabel"
     "icnspack"