diff --git a/dev/vagrant/bootstrap.sh b/dev/vagrant/bootstrap.sh
index 67b70775c1..e365b851e0 100644
--- a/dev/vagrant/bootstrap.sh
+++ b/dev/vagrant/bootstrap.sh
@@ -165,6 +165,7 @@ function configure_operator {
 
     tox -c ${KOLLA_PATH}/tox.ini -e genconfig
     cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla
+    ${KOLLA_PATH}/tools/generate_passwords.py
     mkdir -p /usr/share/kolla
     chown -R vagrant: /etc/kolla /usr/share/kolla
 
diff --git a/doc/quickstart.rst b/doc/quickstart.rst
index ef0ae708cb..82b9792b65 100644
--- a/doc/quickstart.rst
+++ b/doc/quickstart.rst
@@ -390,6 +390,15 @@ the Ansible inventory file can be found in the Ansible `inventory introduction
 All variables for the environment can be specified in the files:
 "/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml"
 
+Generate passwords for /etc/kolla/passwords.yml using the provided
+kolla-genpwd tool.  The tool will populate all empty fields in the
+"/etc/kolla/passwords.yml" file using randomly generated values to secure the
+deployment.  Optionally, the passwords may be populate in the file by hand.
+
+::
+
+    kolla-genpwd
+
 Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these
 parameters: kolla_base_distro, kolla_install_type.
 
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index a98911c3b5..5f250ac8c2 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -1,66 +1,62 @@
 ---
-# TODO(SamYaple): This file should have generated values by default. Propose
-# Ansible vault for locking down the secrets properly.
-
-
 ###################
 # Ceph options
 ####################
-ceph_cluster_fsid: "5fba2fbc-551d-11e5-a8ce-01ef4c5cf93c"
-rbd_secret_uuid: "bbc5b4d5-6fca-407d-807d-06a4f4a7bccb"
-
+# These options must be UUID4 values in string format
+# XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
+ceph_cluster_fsid:
+rbd_secret_uuid:
 
 ###################
 # Database options
 ####################
-database_password: "password"
-
+database_password:
 
 ####################
 # Docker options
 ####################
+# This should only be set if you require a password for your Docker registry
 docker_registry_password:
 
-
 ####################
 # OpenStack options
 ####################
-keystone_admin_password: "password"
-keystone_database_password: "password"
+keystone_admin_password:
+keystone_database_password:
 
-glance_database_password: "password"
-glance_keystone_password: "password"
+glance_database_password:
+glance_keystone_password:
 
-nova_database_password: "password"
-nova_api_database_password: "password"
-nova_keystone_password: "password"
+nova_database_password:
+nova_api_database_password:
+nova_keystone_password:
 
-neutron_database_password: "password"
-neutron_keystone_password: "password"
-metadata_secret: "password"
+neutron_database_password:
+neutron_keystone_password:
+metadata_secret:
 
-cinder_database_password: "password"
-cinder_keystone_password: "password"
+cinder_database_password:
+cinder_keystone_password:
 
-swift_keystone_password: "password"
-swift_hash_path_suffix: "kolla"
-swift_hash_path_prefix: "kolla"
+swift_keystone_password:
+swift_hash_path_suffix:
+swift_hash_path_prefix:
 
-heat_database_password: "password"
-heat_keystone_password: "password"
-heat_domain_admin_password: "password"
+heat_database_password:
+heat_keystone_password:
+heat_domain_admin_password:
 
-murano_database_password: "password"
-murano_keystone_password: "password"
+murano_database_password:
+murano_keystone_password:
 
-ironic_database_password: "password"
-ironic_keystone_password: "password"
+ironic_database_password:
+ironic_keystone_password:
 
-magnum_database_password: "password"
-magnum_keystone_password: "password"
+magnum_database_password:
+magnum_keystone_password:
 
-mistral_database_password: "password"
-mistral_keystone_password: "password"
+mistral_database_password:
+mistral_keystone_password:
 
 horizon_secret_key: "password"
 
@@ -72,12 +68,11 @@ memcache_secret_key: "password"
 ####################
 # RabbitMQ options
 ####################
-rabbitmq_password: "password"
-rabbitmq_cluster_cookie: "password"
-
+rabbitmq_password:
+rabbitmq_cluster_cookie:
 
 ####################
 # HAProxy options
 ####################
-haproxy_password: "password"
-keepalived_password: "password"
+haproxy_password:
+keepalived_password:
diff --git a/kolla/cmd/genpwd.py b/kolla/cmd/genpwd.py
new file mode 100755
index 0000000000..728dd458b9
--- /dev/null
+++ b/kolla/cmd/genpwd.py
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import random
+import string
+import uuid
+import yaml
+
+
+def main():
+    # These keys should be random uuids
+    uuid_keys = ['ceph_cluster_fsid', 'rbd_secret_uuid']
+
+    # If these keys are None, leave them as None
+    blank_keys = ['docker_registry_password']
+
+    # length of password
+    length = 40
+
+    with open('/etc/kolla/passwords.yml', 'r') as f:
+        passwords = yaml.load(f.read())
+
+    for k, v in passwords.items():
+        if v is None:
+            if k in blank_keys and v is None:
+                continue
+            if k in uuid_keys:
+                passwords[k] = str(uuid.uuid4())
+            else:
+                passwords[k] = ''.join([
+                    random.SystemRandom().choice(
+                        string.ascii_letters + string.digits)
+                    for n in range(length)
+                ])
+
+    with open('/etc/kolla/passwords.yml', 'w') as f:
+        f.write(yaml.dump(passwords, default_flow_style=False))
+
+if __name__ == '__main__':
+    main()
diff --git a/setup.cfg b/setup.cfg
index cf11709c04..b27943b069 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -35,6 +35,7 @@ scripts =
 [entry_points]
 console_scripts =
     kolla-build = kolla.cmd.build:main
+    kolla-genpwd = kolla.cmd.genpwd:main
 oslo.config.opts =
     kolla = kolla.opts:list_opts
 
diff --git a/tools/generate_passwords.py b/tools/generate_passwords.py
new file mode 120000
index 0000000000..e157963a38
--- /dev/null
+++ b/tools/generate_passwords.py
@@ -0,0 +1 @@
+../kolla/cmd/genpwd.py
\ No newline at end of file
diff --git a/tools/setup_gate.sh b/tools/setup_gate.sh
index aa74a9e629..2dc8136877 100755
--- a/tools/setup_gate.sh
+++ b/tools/setup_gate.sh
@@ -13,6 +13,8 @@ function setup_config {
     tox -e genconfig
     # Copy configs
     sudo cp -a etc/kolla /etc/
+    # Generate passwords
+    sudo tools/generate_passwords.py
 
     # Use Infra provided pypi
     echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header