diff --git a/share/rpcauth/rpcauth.py b/share/rpcauth/rpcauth.py
index d441d5f21d4..cc7bba1f8b1 100755
--- a/share/rpcauth/rpcauth.py
+++ b/share/rpcauth/rpcauth.py
@@ -4,22 +4,20 @@
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 
 from argparse import ArgumentParser
-from base64 import urlsafe_b64encode
 from getpass import getpass
-from os import urandom
-
+from secrets import token_hex, token_urlsafe
 import hmac
 
 def generate_salt(size):
     """Create size byte hex salt"""
-    return urandom(size).hex()
+    return token_hex(size)
 
 def generate_password():
     """Create 32 byte b64 password"""
-    return urlsafe_b64encode(urandom(32)).decode('utf-8')
+    return token_urlsafe(32)
 
 def password_to_hmac(salt, password):
-    m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), 'SHA256')
+    m = hmac.new(salt.encode('utf-8'), password.encode('utf-8'), 'SHA256')
     return m.hexdigest()
 
 def main():
@@ -38,8 +36,8 @@ def main():
     password_hmac = password_to_hmac(salt, args.password)
 
     print('String to be appended to bitcoin.conf:')
-    print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac))
-    print('Your password:\n{0}'.format(args.password))
+    print(f'rpcauth={args.username}:{salt}${password_hmac}')
+    print(f'Your password:\n{args.password}')
 
 if __name__ == '__main__':
     main()
diff --git a/test/util/rpcauth-test.py b/test/util/rpcauth-test.py
index 53058dc394a..8a7ff26dcb2 100755
--- a/test/util/rpcauth-test.py
+++ b/test/util/rpcauth-test.py
@@ -4,7 +4,7 @@
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 """Test share/rpcauth/rpcauth.py
 """
-import base64
+import re
 import configparser
 import hmac
 import importlib
@@ -28,18 +28,17 @@ class TestRPCAuth(unittest.TestCase):
             self.assertEqual(len(self.rpcauth.generate_salt(i)), i * 2)
 
     def test_generate_password(self):
+        """Test that generated passwords only consist of urlsafe characters."""
+        r = re.compile(r"[0-9a-zA-Z_-]*")
         password = self.rpcauth.generate_password()
-        expected_password = base64.urlsafe_b64encode(
-            base64.urlsafe_b64decode(password)).decode('utf-8')
-        self.assertEqual(expected_password, password)
+        self.assertTrue(r.fullmatch(password))
 
     def test_check_password_hmac(self):
         salt = self.rpcauth.generate_salt(16)
         password = self.rpcauth.generate_password()
         password_hmac = self.rpcauth.password_to_hmac(salt, password)
 
-        m = hmac.new(bytearray(salt, 'utf-8'),
-            bytearray(password, 'utf-8'), 'SHA256')
+        m = hmac.new(salt.encode('utf-8'), password.encode('utf-8'), 'SHA256')
         expected_password_hmac = m.hexdigest()
 
         self.assertEqual(expected_password_hmac, password_hmac)