diff --git a/powerdnsadmin/models/api_key.py b/powerdnsadmin/models/api_key.py
index 89b9fc1..4c26cd2 100644
--- a/powerdnsadmin/models/api_key.py
+++ b/powerdnsadmin/models/api_key.py
@@ -1,4 +1,4 @@
-import random
+import secrets
 import string
 import bcrypt
 from flask import current_app
@@ -30,7 +30,7 @@ class ApiKey(db.Model):
         self.accounts[:] = accounts
         if not key:
             rand_key = ''.join(
-                random.choice(string.ascii_letters + string.digits)
+                secrets.choice(string.ascii_letters + string.digits)
                 for _ in range(15))
             self.plain_key = rand_key
             self.key = self.get_hashed_password(rand_key).decode('utf-8')
diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py
index 448144b..1fd5e3a 100644
--- a/powerdnsadmin/routes/api.py
+++ b/powerdnsadmin/routes/api.py
@@ -30,7 +30,7 @@ from ..decorators import (
     apikey_is_admin, apikey_can_access_domain, api_role_can,
     apikey_or_basic_auth,
 )
-import random
+import secrets
 import string
 
 api_bp = Blueprint('api', __name__, url_prefix='/api/v1')
@@ -687,7 +687,7 @@ def api_create_user():
 
     if not plain_text_password and not password:
         plain_text_password = ''.join(
-            random.choice(string.ascii_letters + string.digits)
+            secrets.choice(string.ascii_letters + string.digits)
             for _ in range(15))
     if not role_name and not role_id:
         role_name = 'User'