diff --git a/Security/PasswordRecover/TokenManager.php b/Security/PasswordRecover/TokenManager.php
index ea9c3ab7c..3dc0c1060 100644
--- a/Security/PasswordRecover/TokenManager.php
+++ b/Security/PasswordRecover/TokenManager.php
@@ -44,6 +44,8 @@ class TokenManager
     const TIMESTAMP = 'ts';
     const USERNAME_CANONICAL = 'u';
     
+    const TOKEN_LENGTH = 24;
+    
     public function __construct($secret, LoggerInterface $logger)
     {
         $this->secret = $secret;
@@ -52,7 +54,7 @@ class TokenManager
     
     public function generate(User $user, \DateTimeInterface $expiration)
     {
-        $token = \random_bytes(32);
+        $token = \random_bytes(self::TOKEN_LENGTH);
         $username = $user->getUsernameCanonical();
         
         if (empty($username)) {
@@ -60,7 +62,7 @@ class TokenManager
         }
         
         $timestamp = $expiration->getTimestamp();
-        $hash = \hash('sha512', $token.$username.$timestamp.$this->secret);
+        $hash = \hash('sha1', $token.$username.$timestamp.$this->secret);
         
         return [ 
             self::HASH => $hash, 
@@ -72,7 +74,12 @@ class TokenManager
     
     public function verify($hash, $token, User $user, $timestamp)
     {
-        $token = \hex2bin($token);
+        $token = \hex2bin(\trim($token));
+        
+        if (\strlen($token) !== self::TOKEN_LENGTH) {
+            return false;
+        }
+        
         $username = $user->getUsernameCanonical();
         $date = \DateTimeImmutable::createFromFormat('U', $timestamp);
         
@@ -84,7 +91,7 @@ class TokenManager
             return false;
         }
         
-        $expected = \hash('sha512', $token.$username.$timestamp.$this->secret);
+        $expected = \hash('sha1', $token.$username.$timestamp.$this->secret);
         
         if ($expected !== $hash) {
             return false;