diff --git a/php/public/index.php b/php/public/index.php
index 531962cf..b6b76a85 100644
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -182,6 +182,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
         'community_containers_enabled' => $configurationManager->aioCommunityContainers,
         'bypass_container_update' => $bypass_container_update,
         'desec_email' => $configurationManager->desecEmail,
+        'desec_password' => $configurationManager->getDesecPassword(),
         'is_desec_domain' => $configurationManager->isDesecDomain(),
         'desec_account_registered' => $configurationManager->isDesecAccountRegistered(),
     ]);
diff --git a/php/src/Controller/DesecController.php b/php/src/Controller/DesecController.php
index ca7918c9..5768f25c 100644
--- a/php/src/Controller/DesecController.php
+++ b/php/src/Controller/DesecController.php
@@ -63,15 +63,16 @@ readonly class DesecController {
         try {
             if (!$accountAlreadyRegistered) {
                 // Register an account at deSEC and obtain an API token.
-                // The password is intentionally ephemeral: only the API token is needed for
-                // subsequent calls, so the password does not need to be stored.
+                // The password is stored so the user can log in to desec.io directly if needed.
                 $password = bin2hex(random_bytes(24));
                 $token = $this->registerDesecAccount($email, $password);
 
-                // Persist the token and email immediately so that a subsequent domain-registration
-                // failure leaves the account credentials stored and allows the user to retry.
+                // Persist the token, password and email immediately so that a subsequent
+                // domain-registration failure leaves the account credentials stored and allows
+                // the user to retry.
                 $this->configurationManager->startTransaction();
                 $this->configurationManager->setDesecToken($token);
+                $this->configurationManager->setDesecPassword($password);
                 $this->configurationManager->desecEmail = $email;
                 $this->configurationManager->commitTransaction();
             }
diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php
index b4ad58b0..2f7ad0b4 100644
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@@ -221,6 +221,22 @@ class ConfigurationManager
             : '';
     }
 
+    /**
+     * Stores the deSEC account password in the secrets store so the user can log in at desec.io.
+     */
+    public function setDesecPassword(string $password): void {
+        $secrets = $this->get('secrets', []);
+        $secrets['DESEC_PASSWORD'] = $password;
+        $this->set('secrets', $secrets);
+    }
+
+    public function getDesecPassword(): string {
+        $secrets = $this->get('secrets', []);
+        return isset($secrets['DESEC_PASSWORD']) && is_string($secrets['DESEC_PASSWORD'])
+            ? $secrets['DESEC_PASSWORD']
+            : '';
+    }
+
     /**
      * Returns true when the configured domain is a deSEC dedyn.io subdomain and a token is stored.
      */
diff --git a/php/templates/containers.twig b/php/templates/containers.twig
index aeda31b3..a6808bda 100644
--- a/php/templates/containers.twig
+++ b/php/templates/containers.twig
@@ -137,6 +137,7 @@
                                     <p><a target="_blank" href="https://desec.io">deSEC</a> offers free dynamic DNS subdomains under <strong>dedyn.io</strong>. AIO can register an account and a subdomain for you automatically. The <strong>caddy</strong> community container will be enabled as a reverse proxy, the <strong>dnsmasq</strong> container will be enabled for local DNS resolution, and the mastercontainer will keep your DNS record up to date automatically.</p>
                                     {% if desec_account_registered %}
                                         <p>Your deSEC account (<strong>{{ desec_email }}</strong>) was registered successfully but the domain could not be registered. Please enter a desired subdomain slug (the part before <code>.dedyn.io</code>) and try again, or leave it blank for a random one.</p>
+                                        <p>Your deSEC login credentials (for <a target="_blank" href="https://desec.io">desec.io</a>): Email: <strong>{{ desec_email }}</strong>, Password: <strong>{{ desec_password }}</strong>. Please save these in a safe place.</p>
                                         <form method="POST" action="api/desec/register" class="xhr">
                                             <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                             <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
@@ -398,6 +399,14 @@
 
                     {% if was_start_button_clicked == true %}
 
+                        {% if is_desec_domain %}
+                            <h2>deSEC account credentials</h2>
+                            <p>Your domain <strong>{{ domain }}</strong> is managed via <a target="_blank" href="https://desec.io">deSEC</a>. Below are your deSEC account credentials. You can use them to log in at <a target="_blank" href="https://desec.io">desec.io</a> to manage your domain directly.</p>
+                            <p>Email: <strong>{{ desec_email }}</strong></p>
+                            <p>Password: <strong>{{ desec_password }}</strong></p>
+                            <p>Please save these credentials in a safe place.</p>
+                        {% endif %}
+
                         {% if is_backup_section_enabled == false %}
                             <h2>Backup and restore</h2>
                             <p>The backup section is disabled via environmental variable.</p>