--- a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables	
+++ a/base/univention-base-files/debian/univention-base-files.univention-config-registry-variables	
@@ -1178,8 +1178,8 @@ Type=str
 Categories=service-base
 
 [machine/password/length]
-Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 20 Zeichen lang.
-Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 20 characters.
+Description[de]=Das Passwort des Rechnerkontos wird in der Regel automatisch erstellt und rotiert. Es wird in der Datei /etc/machine.secret gespeichert. Diese Variable konfiguriert die Länge des generierten Passworts. Ist die Variable nicht gesetzt, ist das Passwort 32 Zeichen lang.
+Description[en]=The password for the computer account is usually automatically created and rotated. It is stored in the file /etc/machine.secret. This variable configures the length of the generated password. If the variable is unset, the password consists of 32 characters.
 Type=int
 Categories=service-base
 
--- a/base/univention-lib/python/misc.py	
+++ a/base/univention-lib/python/misc.py	
@@ -48,7 +48,7 @@ def createMachinePassword():
 	"""
 	ucr = ConfigRegistry()
 	ucr.load()
-	length = ucr.get('machine/password/length', '20')
+	length = ucr.get('machine/password/length', '32')
 	compl = ucr.get('machine/password/complexity', 'scn')
 	p = subprocess.Popen(["pwgen", "-1", "-" + compl, length], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
 	(stdout, stderr) = p.communicate()
--- a/base/univention-lib/shell/base.sh	
+++ a/base/univention-lib/shell/base.sh	
@@ -145,7 +145,7 @@ create_machine_password () {
 	local length compl
 	length="$(/usr/sbin/univention-config-registry get machine/password/length)"
 	compl="$(/usr/sbin/univention-config-registry get machine/password/complexity)"
-	pwgen -1 -"${compl:-scn}" "${length:-20}" | tr -d '\n'
+	pwgen -1 -"${compl:-scn}" "${length:-32}" | tr -d '\n'
 }
 
 #
--- a/base/univention-licence/lib/license_ldap.c	
+++ a/base/univention-licence/lib/license_ldap.c	
@@ -8,7 +8,7 @@ 
 
 static univention_ldap_parameters_t *lp = NULL;
 
-#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 60
+#define _UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX 256
 int univention_ldap_set_machine_connection(univention_ldap_parameters_t *lp) {
 	FILE *secret;
 	size_t len;
--- a/base/univention-policy/lib/ldap.c	
+++ a/base/univention-policy/lib/ldap.c	
@@ -107,7 +107,7 @@ static int sasl_interact(LDAP *ld, unsigned flags, void *defaults, void *in)
 	return LDAP_SUCCESS;
 }
 
-#define _UNIVENTION_LDAP_SECRET_LEN_MAX 27
+#define _UNIVENTION_LDAP_SECRET_LEN_MAX 256
 int univention_ldap_set_admin_connection( univention_ldap_parameters_t *lp )
 {
 	FILE *secret;
--- a/doc/manual/computers-de.xml	
+++ a/doc/manual/computers-de.xml	
@@ -26,7 +26,7 @@ 
         <para>
 		  Das Passwort für das Rechnerkonto wird beim Domänenbeitritt automatisch erzeugt und in der
 		  Datei <filename>/etc/machine.secret</filename> gespeichert. Das Passwort umfasst in der
-		  Grundeinstellung 20 Zeichen (konfigurierbar über die &ucsUCRV; <envar>machine/password/length</envar>).
+		  Grundeinstellung 32 Zeichen (konfigurierbar über die &ucsUCRV; <envar>machine/password/length</envar>).
 		  Das Passwort wird in festen Intervallen automatisch
 		  neu generiert (in der Grundeinstellung 21 Tage, konfigurierbar über die
 		  &ucsUCRV; <envar>server/password/interval</envar>). Die Passwortrotation kann über die
--- a/doc/manual/computers-en.xml	
+++ a/doc/manual/computers-en.xml	
@@ -27,7 +27,7 @@ 
 	<para>
 	  The password for the computer account is generated automatically during the domain join and
 	  saved in the <filename>/etc/machine.secret</filename> file.  By default the
-	  password consists of 20 characters (can be configured via the &ucsUCRV;
+	  password consists of 32 characters (can be configured via the &ucsUCRV;
 	  <envar>machine/password/length</envar>). The password is regenerated
 	  automatically at fixed intervals (default setting: 21 days; can be configured using the
 	  &ucsUCRV; <envar>server/password/interval</envar>). Password rotation can also be disabled
--- a/management/univention-appcenter/scripts/joinscripthelper.sh	
+++ a/management/univention-appcenter/scripts/joinscripthelper.sh	
@@ -40,8 +40,9 @@ CONTAINER=$(ucr get "$ucr_container_key")
 joinscript_add_simple_app_system_user () {
 	local password
 	local pwdfile
+	eval "$(ucr shell machine/password/length)"
 
-	password="$(makepasswd)"
+	password="$(makepasswd --chars=${machine_password_length:-32})"
 	pwdfile="/etc/$APP.secret"
 	joinscript_run_in_container touch "$pwdfile"
 	joinscript_run_in_container chmod 600 "$pwdfile"
--- a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst	
+++ a/management/univention-self-service/35univention-self-service-passwordreset-umc.inst	
@@ -60,7 +60,7 @@ if [ "$server_role" = "domaincontroller_master" -o "$server_role" = "domaincontr
 	DB_SECRET_FILE="/etc/self-service-db.secret"
 	if [ ! -f $DB_SECRET_FILE ]; then
 		echo "Generating new DB password..."
-		selfservice_pwd="$(makepasswd --chars 20)"
+		selfservice_pwd="$(makepasswd --chars=${machine_password_length:-32})"
 		touch "$DB_SECRET_FILE"
 		chown root:root "$DB_SECRET_FILE"
 		chmod 600 "$DB_SECRET_FILE"
--- a/saml/univention-saml/91univention-saml.inst	
+++ a/saml/univention-saml/91univention-saml.inst	
@@ -134,7 +134,7 @@ if [ "$server_role" = "domaincontroller_master" ]; then
 	# Only set password if sys-idp-user does not exist
 	username=$(ucs_getAttrOfDN uid uid=sys-idp-user,cn=users,"$ldap_base" "$@" 2>/dev/null)
 	if [ ! "$username" = "sys-idp-user" ]; then
-		PASSWORD=$(makepasswd --chars=20)
+		PASSWORD=$(makepasswd --chars=${machine_password_length:-32})
 		touch "$SECRETFILE"
 		chown root:"DC Backup Hosts" "$SECRETFILE"
 		chmod 640 "$SECRETFILE"
--- a/services/univention-mariadb/debian/univention-mariadb.postinst	
+++ a/services/univention-mariadb/debian/univention-mariadb.postinst	
@@ -39,10 +39,11 @@ test_mysql_access() {
 
 create_mysql_secret_if_not_exists () {
 	if [ ! -e /etc/mysql.secret ]; then
+		eval "$(ucr shell machine/password/length 2>/dev/null || /bin/true)"
 		touch /etc/mysql.secret
 		chmod 600 /etc/mysql.secret
 		chown root /etc/mysql.secret
-		makepasswd --nocrypt --chars=20 >> /etc/mysql.secret
+		makepasswd --nocrypt --chars=${machine_password_length:-32} >> /etc/mysql.secret
 	fi
 }