diff --git a/internal/service/service.go b/internal/service/service.go
index cb8b00ff..6cb9db8b 100644
--- a/internal/service/service.go
+++ b/internal/service/service.go
@@ -39,7 +39,6 @@ const (
 )
 
 var (
-	chars     = []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
 	graceTime int
 )
 
diff --git a/internal/service/service_portable.go b/internal/service/service_portable.go
index d3181455..4703b33d 100644
--- a/internal/service/service_portable.go
+++ b/internal/service/service_portable.go
@@ -144,16 +144,15 @@ func (s *Service) configurePortableUser() string {
 		printablePassword = "[redacted]"
 	}
 	if len(s.PortableUser.PublicKeys) == 0 && s.PortableUser.Password == "" {
-		var b strings.Builder
-		for i := 0; i < 16; i++ {
-			b.WriteRune(chars[rand.Intn(len(chars))])
-		}
-		s.PortableUser.Password = b.String()
+		s.PortableUser.Password = util.GenerateUniqueID()
 		printablePassword = s.PortableUser.Password
 	}
 	s.PortableUser.Filters.WebClient = []string{sdk.WebClientSharesDisabled, sdk.WebClientInfoChangeDisabled,
 		sdk.WebClientPubKeyChangeDisabled, sdk.WebClientPasswordChangeDisabled, sdk.WebClientAPIKeyAuthChangeDisabled,
-		sdk.WebClientMFADisabled,
+		sdk.WebClientMFADisabled, sdk.WebClientPasswordResetDisabled, sdk.WebClientTLSCertChangeDisabled,
+	}
+	if !s.PortableUser.HasAnyPerm([]string{dataprovider.PermUpload, dataprovider.PermOverwrite}, "/") {
+		s.PortableUser.Filters.WebClient = append(s.PortableUser.Filters.WebClient, sdk.WebClientWriteDisabled)
 	}
 	s.configurePortableSecrets()
 	return printablePassword