diff --git a/src/addons.js b/src/addons.js
index 688437ff4..169758b78 100644
--- a/src/addons.js
+++ b/src/addons.js
@@ -376,7 +376,7 @@ function setupLdap(app, options, callback) {
         'LDAP_USERS_BASE_DN=ou=users,dc=cloudron',
         'LDAP_GROUPS_BASE_DN=ou=groups,dc=cloudron',
         'LDAP_BIND_DN=cn='+ app.id + ',ou=apps,dc=cloudron',
-        'LDAP_BIND_PASSWORD=' + hat(256) // this is ignored
+        'LDAP_BIND_PASSWORD=' + hat(8 * 128) // this is ignored
     ];
 
     debugApp(app, 'Setting up LDAP');
diff --git a/src/clients.js b/src/clients.js
index 08d8dab9f..2135546b8 100644
--- a/src/clients.js
+++ b/src/clients.js
@@ -106,7 +106,7 @@ function add(appId, type, redirectURI, scope, callback) {
     if (error) return callback(error);
 
     var id = 'cid-' + uuid.v4();
-    var clientSecret = hat(256);
+    var clientSecret = hat(8 * 128);
 
     clientdb.add(id, appId, type, clientSecret, redirectURI, scope, function (error) {
         if (error) return callback(error);
diff --git a/src/platform.js b/src/platform.js
index 1376dbfed..3dbf9496a 100644
--- a/src/platform.js
+++ b/src/platform.js
@@ -101,7 +101,7 @@ function startGraphite(callback) {
 function startMysql(callback) {
     const tag = infra.images.mysql.tag;
     const dataDir = paths.DATA_DIR;
-    const rootPassword = hat(256);
+    const rootPassword = hat(8 * 128);
 
     if (!safe.fs.writeFileSync(paths.DATA_DIR + '/addons/mysql_vars.sh', 
             'MYSQL_ROOT_PASSWORD=' + rootPassword +'\nMYSQL_ROOT_HOST=172.18.0.1', 'utf8')) {
@@ -125,7 +125,7 @@ function startMysql(callback) {
 function startPostgresql(callback) {
     const tag = infra.images.postgresql.tag;
     const dataDir = paths.DATA_DIR;
-    const rootPassword = hat(256);
+    const rootPassword = hat(8 * 128);
 
     if (!safe.fs.writeFileSync(paths.DATA_DIR + '/addons/postgresql_vars.sh', 'POSTGRESQL_ROOT_PASSWORD=' + rootPassword, 'utf8')) {
         return callback(new Error('Could not create postgresql var file:' + safe.error.message));
@@ -148,7 +148,7 @@ function startPostgresql(callback) {
 function startMongodb(callback) {
     const tag = infra.images.mongodb.tag;
     const dataDir = paths.DATA_DIR;
-    const rootPassword = hat(256);
+    const rootPassword = hat(8 * 128);
 
     if (!safe.fs.writeFileSync(paths.DATA_DIR + '/addons/mongodb_vars.sh', 'MONGODB_ROOT_PASSWORD=' + rootPassword, 'utf8')) {
         return callback(new Error('Could not create mongodb var file:' + safe.error.message));
@@ -176,7 +176,7 @@ function startMail(callback) {
 
     const tag = infra.images.mail.tag;
     const dataDir = paths.DATA_DIR;
-    const rootPassword = hat(256);
+    const rootPassword = hat(8 * 128);
     const fqdn = config.fqdn();
     const mailFqdn = config.adminFqdn();
 
diff --git a/src/tokendb.js b/src/tokendb.js
index 09f34d5b9..8f38f7352 100644
--- a/src/tokendb.js
+++ b/src/tokendb.js
@@ -26,7 +26,7 @@ var assert = require('assert'),
 var TOKENS_FIELDS = [ 'accessToken', 'identifier', 'clientId', 'scope', 'expires' ].join(',');
 
 function generateToken() {
-    return hat(256);
+    return hat(8 * 64); // TODO: make this stronger
 }
 
 function get(accessToken, callback) {