diff --git a/ansible/files/bin/start-coturn.sh b/ansible/files/bin/start-coturn.sh
index 7adcb64..d4be1ff 100644
--- a/ansible/files/bin/start-coturn.sh
+++ b/ansible/files/bin/start-coturn.sh
@@ -13,6 +13,6 @@ TURN_EXTERNAL_IP="$(snikket-turn-addresses "$SNIKKET_DOMAIN")"
 
 
 exec /usr/bin/turnserver -c /etc/turnserver.conf --prod \
-     --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret)" \
+     --static-auth-secret="$(cat /snikket/prosody/turn-auth-secret-v2)" \
      --cert="$CERTFILE" --pkey "$KEYFILE" -r "$SNIKKET_DOMAIN" \
      -X "$TURN_EXTERNAL_IP"
diff --git a/ansible/files/prosody.cfg.lua b/ansible/files/prosody.cfg.lua
index 0217b0c..24170fe 100644
--- a/ansible/files/prosody.cfg.lua
+++ b/ansible/files/prosody.cfg.lua
@@ -115,7 +115,7 @@ http_host = DOMAIN
 http_external_url = "https://"..DOMAIN.."/"
 
 turncredentials_host = DOMAIN
-turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret")):read("*a");
+turncredentials_secret = assert(io.open("/snikket/prosody/turn-auth-secret-v2")):read("*l");
 
 VirtualHost (DOMAIN)
 	authentication = "internal_hashed"
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 0291a7f..24c8e6b 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -47,8 +47,13 @@ install -o letsencrypt -g letsencrypt -m 755 -d /var/www/.well-known/acme-challe
 chown -R letsencrypt:letsencrypt /snikket/letsencrypt
 
 ## Generate secret for coturn auth if necessary
-if ! test -f /snikket/prosody/turn-auth-secret; then
-	head -c 32 /dev/urandom | sha256sum > /snikket/prosody/turn-auth-secret;
+if ! test -f /snikket/prosody/turn-auth-secret-v2; then
+	tr -dc 'a-z0-9' < /dev/urandom | head -c32 > /snikket/prosody/turn-auth-secret-v2;
+fi
+
+# COMPAT w/ alpha.20200513: remove older format
+if test -f /snikket/prosody/turn-auth-secret; then
+	rm /snikket/prosody/turn-auth-secret;
 fi
 
 exec supervisord -c /etc/supervisor/supervisord.conf