diff --git a/src/cli/config.rs b/src/cli/config.rs
index 358c095c..c25c8dab 100644
--- a/src/cli/config.rs
+++ b/src/cli/config.rs
@@ -8,7 +8,7 @@ pub struct Config {
 	pub bind: SocketAddr,
 	pub path: String,
 	pub user: String,
-	pub pass: String,
+	pub pass: Option<String>,
 	pub crt: Option<String>,
 	pub key: Option<String>,
 }
@@ -25,7 +25,7 @@ pub fn init(matches: &clap::ArgMatches) {
 	// Parse the root username for authentication
 	let user = matches.value_of("user").unwrap().to_owned();
 	// Parse the root password for authentication
-	let pass = matches.value_of("pass").unwrap().to_owned();
+	let pass = matches.value_of("pass").map(|v| v.to_owned());
 	// Parse any TLS server security options
 	let crt = matches.value_of("web-crt").map(|v| v.to_owned());
 	let key = matches.value_of("web-key").map(|v| v.to_owned());
diff --git a/src/cli/mod.rs b/src/cli/mod.rs
index 15a64154..102b8265 100644
--- a/src/cli/mod.rs
+++ b/src/cli/mod.rs
@@ -10,9 +10,6 @@ pub use config::CF;
 
 use crate::cnf::LOGO;
 use clap::{Arg, Command};
-use once_cell::sync::Lazy;
-use rand::distributions::Alphanumeric;
-use rand::Rng;
 
 pub const LOG: &str = "surrealdb::cli";
 
@@ -29,10 +26,6 @@ We would love it if you could star the repository (https://github.com/surrealdb/
 ----------
 ";
 
-static PASS: Lazy<String> = Lazy::new(|| {
-	rand::thread_rng().sample_iter(&Alphanumeric).take(16).map(char::from).collect::<String>()
-});
-
 fn file_valid(v: &str) -> Result<(), String> {
 	if !v.is_empty() {
 		return Ok(());
@@ -157,9 +150,8 @@ pub fn init() {
 				Arg::new("pass")
 					.short('p')
 					.long("pass")
-					.hide_default_value(true)
+					.takes_value(true)
 					.forbid_empty_values(true)
-					.default_value(PASS.as_str())
 					.help("The master password for the database"),
 			)
 			.arg(
diff --git a/src/iam/verify.rs b/src/iam/verify.rs
index 2821bfe4..af7cbfa9 100644
--- a/src/iam/verify.rs
+++ b/src/iam/verify.rs
@@ -97,9 +97,11 @@ pub async fn basic(session: &mut Session, auth: String) -> Result<(), Error> {
 				return Err(Error::InvalidAuth);
 			}
 			// Check if this is root authentication
-			if user == opts.user && pass == opts.pass {
-				session.au = Arc::new(Auth::Kv);
-				return Ok(());
+			if let Some(root) = &opts.pass {
+				if user == opts.user && pass == root {
+					session.au = Arc::new(Auth::Kv);
+					return Ok(());
+				}
 			}
 			// Check if this is NS authentication
 			if let Some(ns) = &session.ns {