diff --git a/kong/tools/rand.lua b/kong/tools/rand.lua
index cfb4bfbf3409..c32b8b5a96f2 100644
--- a/kong/tools/rand.lua
+++ b/kong/tools/rand.lua
@@ -120,10 +120,19 @@ do
     -- get 24 bytes, which will return a 32 char string after encoding
     -- this is done in attempt to maintain backwards compatibility as
     -- much as possible while improving the strength of this function
-    return encode_base64(get_rand_bytes(24, true))
-           :gsub("/", char(rand(48, 57)))  -- 0 - 10
-           :gsub("+", char(rand(65, 90)))  -- A - Z
-           :gsub("=", char(rand(97, 122))) -- a - z
+    local str = encode_base64(get_rand_bytes(24, true))
+
+    if str:find("/", 1, true) then
+      str = str:gsub("/", char(rand(48, 57)))  -- 0 - 10
+    end
+
+    if str:find("+", 1, true) then
+      str = str:gsub("+", char(rand(65, 90)))  -- A - Z
+    end
+
+    -- no gsub for "=" since no padding
+
+    return str
   end
 
 end