diff --git a/CHANGES b/CHANGES
index 3797979b0..71bc1a5dd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2455,4 +2455,5 @@
 * ldap: respond to RootDSE
 * nginx: update to 1.20.0-1
 * Check if CNAME record exists and remove it if overwrite is set
+* cifs: use credentials file for better password support
 
diff --git a/setup/start.sh b/setup/start.sh
index e81cc381c..a52869fd2 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -72,6 +72,7 @@ mkdir -p "${PLATFORM_DATA_DIR}/update"
 mkdir -p "${PLATFORM_DATA_DIR}/sftp/ssh" # sftp keys
 mkdir -p "${PLATFORM_DATA_DIR}/firewall"
 mkdir -p "${PLATFORM_DATA_DIR}/sshfs"
+mkdir -p "${PLATFORM_DATA_DIR}/cifs"
 
 # ensure backups folder exists and is writeable
 mkdir -p /var/backups
@@ -235,7 +236,7 @@ log "Changing ownership"
 # note, change ownership after db migrate. this allow db migrate to move files around as root and then we can fix it up here
 # be careful of what is chown'ed here. subdirs like mysql,redis etc are owned by the containers and will stop working if perms change
 chown -R "${USER}" /etc/cloudron
-chown "${USER}:${USER}" -R "${PLATFORM_DATA_DIR}/nginx" "${PLATFORM_DATA_DIR}/collectd" "${PLATFORM_DATA_DIR}/addons" "${PLATFORM_DATA_DIR}/acme" "${PLATFORM_DATA_DIR}/backup" "${PLATFORM_DATA_DIR}/logs" "${PLATFORM_DATA_DIR}/update" "${PLATFORM_DATA_DIR}/sftp" "${PLATFORM_DATA_DIR}/firewall" "${PLATFORM_DATA_DIR}/sshfs"
+chown "${USER}:${USER}" -R "${PLATFORM_DATA_DIR}/nginx" "${PLATFORM_DATA_DIR}/collectd" "${PLATFORM_DATA_DIR}/addons" "${PLATFORM_DATA_DIR}/acme" "${PLATFORM_DATA_DIR}/backup" "${PLATFORM_DATA_DIR}/logs" "${PLATFORM_DATA_DIR}/update" "${PLATFORM_DATA_DIR}/sftp" "${PLATFORM_DATA_DIR}/firewall" "${PLATFORM_DATA_DIR}/sshfs" "${PLATFORM_DATA_DIR}/cifs"
 chown "${USER}:${USER}" "${PLATFORM_DATA_DIR}/INFRA_VERSION" 2>/dev/null || true
 chown "${USER}:${USER}" "${PLATFORM_DATA_DIR}"
 chown "${USER}:${USER}" "${APPS_DATA_DIR}"
diff --git a/src/mounts.js b/src/mounts.js
index 900477eb1..4c23285a7 100644
--- a/src/mounts.js
+++ b/src/mounts.js
@@ -87,11 +87,17 @@ function renderMountFile(mount) {
 
     let options, what, type;
     switch (mountType) {
-    case 'cifs':
+    case 'cifs': {
+        const out = safe.child_process.execSync(`systemd-escape -p '${hostPath}'`, { encoding: 'utf8' }); // this ensures uniqueness of creds file
+        if (!out) throw new BoxError(BoxError.FS_ERROR, `Could not determine credentials file name: ${safe.error.message}`);
+        const credentialsFilePath = path.join(paths.CIFS_CREDENTIALS_DIR, `${out.trim()}.cred`);
+        if (!safe.fs.writeFileSync(credentialsFilePath, `username=${mountOptions.username}\npassword=${mountOptions.password}\n`, { mode: 0o600 })) throw new BoxError(BoxError.FS_ERROR, `Could not write credentials file: ${safe.error.message}`);
+
         type = 'cifs';
         what = `//${mountOptions.host}` + path.join('/', mountOptions.remoteDir);
-        options = `username=${mountOptions.username},password=${mountOptions.password},rw,${mountOptions.seal ? 'seal,' : ''}iocharset=utf8,file_mode=0666,dir_mode=0777,uid=yellowtent,gid=yellowtent`;
+        options = `credentials=${credentialsFilePath},rw,${mountOptions.seal ? 'seal,' : ''}iocharset=utf8,file_mode=0666,dir_mode=0777,uid=yellowtent,gid=yellowtent`;
         break;
+    }
     case 'nfs':
         type = 'nfs';
         what = `${mountOptions.host}:${mountOptions.remoteDir}`;
@@ -104,7 +110,6 @@ function renderMountFile(mount) {
         break;
     case 'sshfs': {
         const keyFilePath = path.join(paths.SSHFS_KEYS_DIR, `id_rsa_${mountOptions.host}`);
-
         if (!safe.fs.writeFileSync(keyFilePath, `${mount.mountOptions.privateKey}\n`, { mode: 0o600 })) throw new BoxError(BoxError.FS_ERROR, `Could not write private key: ${safe.error.message}`);
 
         type = 'fuse.sshfs';
@@ -132,6 +137,11 @@ async function removeMount(mount) {
     if (mountType === 'sshfs') {
         const keyFilePath = path.join(paths.SSHFS_KEYS_DIR, `id_rsa_${mountOptions.host}`);
         safe.fs.unlinkSync(keyFilePath);
+    } else if (mountType === 'cifs') {
+        const out = safe.child_process.execSync(`systemd-escape -p '${hostPath}'`, { encoding: 'utf8' });
+        if (!out) return;
+        const credentialsFilePath = path.join(paths.CIFS_CREDENTIALS_DIR, `${out.trim()}.cred`);
+        safe.fs.unlinkSync(credentialsFilePath);
     }
 }
 
diff --git a/src/paths.js b/src/paths.js
index ec57e2d5f..1072e86ef 100644
--- a/src/paths.js
+++ b/src/paths.js
@@ -43,6 +43,7 @@ exports = module.exports = {
     DHPARAMS_FILE: path.join(baseDir(), 'platformdata/dhparams.pem'),
     FEATURES_INFO_FILE: path.join(baseDir(), 'platformdata/features-info.json'),
     VERSION_FILE: path.join(baseDir(), 'platformdata/VERSION'),
+    CIFS_CREDENTIALS_DIR: path.join(baseDir(), 'platformdata/cifs'),
     SSHFS_KEYS_DIR: path.join(baseDir(), 'platformdata/sshfs'),
     SFTP_KEYS_DIR: path.join(baseDir(), 'platformdata/sftp/ssh'),
     SFTP_PUBLIC_KEY_FILE: path.join(baseDir(), 'platformdata/sftp/ssh/ssh_host_rsa_key.pub'),