diff --git a/application/src/main/java/org/thingsboard/server/controller/AuthController.java b/application/src/main/java/org/thingsboard/server/controller/AuthController.java
index d0e382f888..113c292380 100644
--- a/application/src/main/java/org/thingsboard/server/controller/AuthController.java
+++ b/application/src/main/java/org/thingsboard/server/controller/AuthController.java
@@ -75,7 +75,7 @@ import java.util.concurrent.ConcurrentMap;
 @RequiredArgsConstructor
 public class AuthController extends BaseController {
 
-    @Value("${rate_limits.reset_password_per_user:5:3600}")
+    @Value("${server.rest.rate_limits.reset_password_per_user:5:3600}")
     private String defaultLimitsConfiguration;
     private final ConcurrentMap<UserId, TbRateLimits> resetPasswordRateLimits = new ConcurrentHashMap<>();
     private final BCryptPasswordEncoder passwordEncoder;
diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml
index 7a5a1e57fd..d5d3a9dbd0 100644
--- a/application/src/main/resources/thingsboard.yml
+++ b/application/src/main/resources/thingsboard.yml
@@ -73,6 +73,8 @@ server:
       min_timeout: "${MIN_SERVER_SIDE_RPC_TIMEOUT:5000}"
       # Default value of the server side RPC timeout.
       default_timeout: "${DEFAULT_SERVER_SIDE_RPC_TIMEOUT:10000}"
+    rate_limits:
+      reset_password_per_user: "${RESET_PASSWORD_PER_USER_RATE_LIMIT_CONFIGURATION:5:3600}"
 
 # Application info
 app:
@@ -1209,5 +1211,4 @@ management:
       exposure:
         # Expose metrics endpoint (use value 'prometheus' to enable prometheus metrics).
         include: '${METRICS_ENDPOINTS_EXPOSE:info}'
-rate_limits:
-  reset_password_per_user: "${RESET_PASSWORD_PER_USER_RATE_LIMIT_CONFIGURATION:5:3600}"
+
diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/StringUtils.java b/common/data/src/main/java/org/thingsboard/server/common/data/StringUtils.java
index 7a4c180b9c..3b38aa57c1 100644
--- a/common/data/src/main/java/org/thingsboard/server/common/data/StringUtils.java
+++ b/common/data/src/main/java/org/thingsboard/server/common/data/StringUtils.java
@@ -24,6 +24,8 @@ import java.util.Base64;
 import static org.apache.commons.lang3.StringUtils.repeat;
 
 public class StringUtils {
+    public static final SecureRandom RANDOM = new SecureRandom();
+
     public static final String EMPTY = "";
 
     public static final int INDEX_NOT_FOUND = -1;
@@ -184,9 +186,8 @@ public class StringUtils {
     }
 
     public static String generateSafeToken(int length) {
-        SecureRandom random = new SecureRandom();
         byte[] bytes = new byte[length];
-        random.nextBytes(bytes);
+        RANDOM.nextBytes(bytes);
         Base64.Encoder encoder = Base64.getUrlEncoder().withoutPadding();
         return encoder.encodeToString(bytes);
     }