diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index ff16f61..fc79ace 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -23,9 +23,11 @@ export function verifyPassword(password: string, hash: string): boolean {
 }
 
 /** A readable one-time password for admin resets. Give to the user; they
- *  change it from /account. */
+ *  change it from /account. 16 bytes = 128 bits of entropy from the CSPRNG
+ *  (the 'Bifrost-' prefix is fixed/known, so the randomness must carry the
+ *  full strength on its own). */
 export function generateTempPassword(): string {
-  return 'Bifrost-' + randomBytes(4).toString('hex');
+  return 'Bifrost-' + randomBytes(16).toString('base64url');
 }
 
 // ── Invite tokens ────────────────────────────────────────────────