diff --git a/API/ROLAC.API/Services/UserManagementService.cs b/API/ROLAC.API/Services/UserManagementService.cs
index 8074d50..3e0040d 100644
--- a/API/ROLAC.API/Services/UserManagementService.cs
+++ b/API/ROLAC.API/Services/UserManagementService.cs
@@ -1,3 +1,4 @@
+using System.Security.Cryptography;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
 using ROLAC.API.Data;
@@ -220,13 +221,21 @@ public class UserManagementService : IUserManagementService
         const string special = "!@#$%^";
         const string all     = upper + lower + digits + special;
 
-        var rng = new Random();
-        var pw  = new char[12];
-        pw[0] = upper[rng.Next(upper.Length)];
-        pw[1] = lower[rng.Next(lower.Length)];
-        pw[2] = digits[rng.Next(digits.Length)];
-        pw[3] = special[rng.Next(special.Length)];
-        for (var i = 4; i < 12; i++) pw[i] = all[rng.Next(all.Length)];
-        return new string(pw.OrderBy(_ => rng.Next()).ToArray());
+        // Use cryptographically secure random number generator
+        var pw = new char[12];
+        pw[0] = upper[RandomNumberGenerator.GetInt32(upper.Length)];
+        pw[1] = lower[RandomNumberGenerator.GetInt32(lower.Length)];
+        pw[2] = digits[RandomNumberGenerator.GetInt32(digits.Length)];
+        pw[3] = special[RandomNumberGenerator.GetInt32(special.Length)];
+        for (var i = 4; i < 12; i++) pw[i] = all[RandomNumberGenerator.GetInt32(all.Length)];
+
+        // Shuffle using Fisher-Yates with cryptographic randomness
+        for (var i = pw.Length - 1; i > 0; i--)
+        {
+            var j = RandomNumberGenerator.GetInt32(i + 1);
+            (pw[i], pw[j]) = (pw[j], pw[i]);
+        }
+
+        return new string(pw);
     }
 }