diff --git a/sso-mfa/k8s/lldap/create-user.sh b/sso-mfa/k8s/lldap/create-user.sh
index d3c7af2..3cd4578 100755
--- a/sso-mfa/k8s/lldap/create-user.sh
+++ b/sso-mfa/k8s/lldap/create-user.sh
@@ -2,17 +2,19 @@
 # create-user.sh — create a user in LLDAP and add them to net-kingdom-users
 #
 # Usage:
-#   ./create-user.sh <username> <email> [display-name] [--admin] [lldap-url] [secrets-dir]
+#   ./create-user.sh <username> <email> [display-name] [--admin] [--test] [lldap-url] [secrets-dir]
 #
 # <username>     LDAP uid — e.g. "bernd" or "testuser"
 # <email>        e.g. "bernd@coulomb.social"
 # <display-name> defaults to <username>
 # --admin        also add to net-kingdom-admins
+# --test         set password automatically as <DisplayName-Pwd> (spaces→hyphens)
+#                e.g. display "Test User" → password "Test-User-Pwd"
 # <lldap-url>    default: https://lldap.coulomb.social
 # <secrets-dir>  default: ../../bootstrap/secrets
 #
 # Examples:
-#   ./create-user.sh testuser test.user@coulomb.social "Test User"
+#   ./create-user.sh testuser test.user@coulomb.social "Test User" --test
 #   ./create-user.sh bernd bernd@coulomb.social "Bernd W" --admin
 
 set -euo pipefail
@@ -23,13 +25,19 @@ DISPLAY_NAME="${3:-$USERNAME}"
 LLDAP_URL="https://lldap.coulomb.social"
 SECRETS_DIR="../../bootstrap/secrets"
 ADMIN_FLAG=""
+TEST_FLAG=""
 
 for arg in "$@"; do
     [[ "$arg" == "--admin" ]] && ADMIN_FLAG="yes"
+    [[ "$arg" == "--test"  ]] && TEST_FLAG="yes"
+done
+# Allow lldap-url and secrets-dir as positional 4/5 if not a flag
+for pos in 4 5; do
+    val="${!pos:-}"
+    [[ "$val" == "--admin" || "$val" == "--test" || -z "$val" ]] && continue
+    [[ $pos -eq 4 ]] && LLDAP_URL="$val"
+    [[ $pos -eq 5 ]] && SECRETS_DIR="$val"
 done
-# Allow lldap-url and secrets-dir as positional 4/5 if not --admin
-[[ "${4:-}" != "--admin" && -n "${4:-}" ]] && LLDAP_URL="${4}"
-[[ "${5:-}" != "--admin" && -n "${5:-}" ]] && SECRETS_DIR="${5}"
 
 if [[ -z "$USERNAME" || -z "$EMAIL" ]]; then
     echo "Usage: $0 <username> <email> [display-name] [--admin]" >&2
@@ -163,8 +171,14 @@ fi
 # ── Set password ──────────────────────────────────────────────────────────────
 echo ""
 echo "Setting password for '$USERNAME' ..."
-read -r -s -p "  Enter password (leave blank to skip): " USER_PASS
-echo ""
+if [[ -n "$TEST_FLAG" ]]; then
+    # Derive password from display name: "Test User" → "Test-User-Pwd"
+    USER_PASS=$(echo "$DISPLAY_NAME" | tr ' ' '-')-Pwd
+    echo "  [--test] Using derived password: $USER_PASS"
+else
+    read -r -s -p "  Enter password (leave blank to skip): " USER_PASS
+    echo ""
+fi
 
 if [[ -n "$USER_PASS" ]]; then
     VARS=$(VAR_KEYS="uid,pw" VAR_uid="$USERNAME" VAR_pw="$USER_PASS" make_vars)