diff --git a/application/model/PasswordResetModel.php b/application/model/PasswordResetModel.php
index 1507903e..25a0f2ac 100644
--- a/application/model/PasswordResetModel.php
+++ b/application/model/PasswordResetModel.php
@@ -35,9 +35,9 @@ public static function requestPasswordReset($user_name_or_email, $captcha)
         }
 
         // generate integer-timestamp (to see when exactly the user (or an attacker) requested the password reset mail)
-        // generate random hash for email password reset verification (40 char string)
+        // generate random hash for email password reset verification (40 bytes)
         $temporary_timestamp = time();
-        $user_password_reset_hash = random_bytes(40);
+        $user_password_reset_hash = bin2hex(random_bytes(40));
 
         // set token (= a random hash string and a timestamp) into database ...
         $token_set = self::setPasswordResetDatabaseToken($result->user_name, $user_password_reset_hash, $temporary_timestamp);
diff --git a/application/model/RegistrationModel.php b/application/model/RegistrationModel.php
index bcfe481b..044e00fe 100644
--- a/application/model/RegistrationModel.php
+++ b/application/model/RegistrationModel.php
@@ -50,8 +50,8 @@ public static function registerNewUser()
         // if Username or Email were false, return false
         if (!$return) return false;
 
-        // generate random hash for email verification (40 char string)
-        $user_activation_hash = random_bytes(40);
+        // generate random hash for email verification (40 bytes)
+        $user_activation_hash = bin2hex(random_bytes(40));
 
         // write user data to database
         if (!self::writeNewUserToDatabase($user_name, $user_password_hash, $user_email, time(), $user_activation_hash)) {