diff --git a/.github/workflows/test-chart.yaml b/.github/workflows/test-chart.yaml
index 15cc373731..3bd348bc90 100644
--- a/.github/workflows/test-chart.yaml
+++ b/.github/workflows/test-chart.yaml
@@ -191,6 +191,9 @@ jobs:
           export STRING_REPLACER_A=$LOCAL_CHART_VERSION
           export STRING_REPLACER_B=$UPGRADE_FROM_VERSION
 
+          echo "NOTE: Helm diff upgrade won't trigger lookup functions, so it"
+          echo "      will look like we seed new passwords all the time."
+          echo
           echo "NOTE: For the helm diff only, we have replaced the new chart"
           echo "      version with the old chart version to reduce clutter."
           echo
diff --git a/jupyterhub/templates/hub/_helpers-passwords.tpl b/jupyterhub/templates/hub/_helpers-passwords.tpl
index 7ab87bd544..e804e6a7c2 100644
--- a/jupyterhub/templates/hub/_helpers-passwords.tpl
+++ b/jupyterhub/templates/hub/_helpers-passwords.tpl
@@ -5,37 +5,38 @@
     proxy.secretToken       / hub.config.JupyterHub.proxy_auth_token
     hub.cookieSecret        / hub.config.JupyterHub.cookie_secret
     auth.state.cryptoKey    / hub.config.CryptKeeper.keys
+
+    Note that lookup logic returns falsy value when run with
+    `helm diff upgrade`, so it is a bit troublesome to test.
 */}}
 
 {{/*
     Returns given number of random Hex characters.
 
-    In practice, it generates up to 100 randAlphaNum strings
-    that are filtered from non-hex characters and augmented
-    to the resulting string that is finally trimmed down.
+    - randNumeric 4 | atoi generates a random number in [0, 10^4)
+      This is a range range evenly divisble by 16, but even if off by one,
+      that last partial interval offsetting randomness is only 1 part in 625.
+    - mod N 16 maps to the range 0-15
+    - printf "%x" represents a single number 0-15 as a single hex character
 */}}
 {{- define "jupyterhub.randHex" -}}
     {{- $result := "" }}
-    {{- range $i := until 100 }}
-        {{- if lt (len $result) . }}
-            {{- $rand_list := randAlphaNum . | splitList "" -}}
-            {{- $reduced_list := without $rand_list "g" "h" "i" "j" "k" "l" "m" "n" "o" "p" "q" "r" "s" "t" "u" "v" "w" "x" "y" "z" "A" "B" "C" "D" "E" "F" "G" "H" "I" "J" "K" "L" "M" "N" "O" "P" "Q" "R" "S" "T" "U" "V" "W" "X" "Y" "Z" }}
-            {{- $rand_string := join "" $reduced_list }}
-            {{- $result = print $result $rand_string -}}
-        {{- end }}
+    {{- range $i := until . }}
+        {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }}
+        {{- $result = print $result $rand_hex_char }}
     {{- end }}
-    {{- $result | trunc . }}
+    {{- $result }}
 {{- end }}
 
 {{- define "jupyterhub.config.JupyterHub.proxy_auth_token" -}}
     {{- if .Values.proxy.secretToken }}
         {{- .Values.proxy.secretToken }}
     {{- else }}
-        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default dict }}
-        {{- if and $k8s_state (hasKey $k8s_state "JupyterHub.proxy_auth_token") }}
-            {{- index $k8s_state "JupyterHub.proxy_auth_token" }}
+        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default (dict "data" (dict)) }}
+        {{- if hasKey $k8s_state.data "JupyterHub.proxy_auth_token" }}
+            {{- index $k8s_state.data "JupyterHub.proxy_auth_token" | b64dec }}
         {{- else }}
-            {{- include "jupyterhub.randHex" 64 }}
+            {{- randAlphaNum 64 }}
         {{- end }}
     {{- end }}
 {{- end }}
@@ -44,9 +45,9 @@
     {{- if .Values.hub.cookieSecret }}
         {{- .Values.hub.cookieSecret }}
     {{- else }}
-        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default dict }}
-        {{- if and $k8s_state (hasKey $k8s_state "JupyterHub.cookie_secret") }}
-            {{- index $k8s_state "JupyterHub.cookie_secret" }}
+        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default (dict "data" (dict)) }}
+        {{- if hasKey $k8s_state.data "JupyterHub.cookie_secret" }}
+            {{- index $k8s_state.data "JupyterHub.cookie_secret" | b64dec }}
         {{- else }}
             {{- include "jupyterhub.randHex" 64 }}
         {{- end }}
@@ -57,9 +58,9 @@
     {{- if .Values.hub.config.CryptKeeper }}
         {{- .Values.hub.config.CryptKeeper.keys | join ";" }}
     {{- else }}
-        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default dict }}
-        {{- if and $k8s_state (hasKey $k8s_state "CryptKeeper.keys") }}
-            {{- index $k8s_state "CryptKeeper.keys" }}
+        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default (dict "data" (dict)) }}
+        {{- if hasKey $k8s_state.data "CryptKeeper.keys" }}
+            {{- index $k8s_state.data "CryptKeeper.keys" | b64dec }}
         {{- else }}
             {{- include "jupyterhub.randHex" 64 }}
         {{- end }}