diff --git a/cmd/kubeadm/app/cmd/token.go b/cmd/kubeadm/app/cmd/token.go
index bf81c87ccb5..600ee3c8341 100644
--- a/cmd/kubeadm/app/cmd/token.go
+++ b/cmd/kubeadm/app/cmd/token.go
@@ -108,7 +108,7 @@ func NewCmdTokenGenerate(out io.Writer) *cobra.Command {
 			the "init" and "join" commands.
 
 			You don't have to use this command in order to generate a token, you can do so
-			yourself as long as it's in the format "<6 characters>.<16 characters>". This
+			yourself as long as it's in the format "<6 characters>:<16 characters>". This
 			command is provided for convenience to generate tokens in that format.
 
 			You can also use "kubeadm init" without specifying a token, and it will
diff --git a/cmd/kubeadm/app/cmd/token_test.go b/cmd/kubeadm/app/cmd/token_test.go
index 2db9cd9e0b6..351a53dc18d 100644
--- a/cmd/kubeadm/app/cmd/token_test.go
+++ b/cmd/kubeadm/app/cmd/token_test.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	TokenExpectedRegex = "^\\S{6}\\.\\S{16}\n$"
+	TokenExpectedRegex = "^\\S{6}\\:\\S{16}\n$"
 )
 
 func TestRunGenerateToken(t *testing.T) {
diff --git a/cmd/kubeadm/app/util/tokens.go b/cmd/kubeadm/app/util/tokens.go
index ece12bf9bf7..4af28d1a7f5 100644
--- a/cmd/kubeadm/app/util/tokens.go
+++ b/cmd/kubeadm/app/util/tokens.go
@@ -36,13 +36,13 @@ import (
 
 const (
 	TokenIDBytes               = 3
-	TokenBytes                 = 8
+	TokenSecretBytes           = 8
 	BootstrapTokenSecretPrefix = "bootstrap-token-"
 	DefaultTokenDuration       = time.Duration(8) * time.Hour
 	tokenCreateRetries         = 5
 )
 
-func RandBytes(length int) (string, error) {
+func randBytes(length int) (string, error) {
 	b := make([]byte, length)
 	_, err := rand.Read(b)
 	if err != nil {
@@ -52,12 +52,12 @@ func RandBytes(length int) (string, error) {
 }
 
 func GenerateToken(d *kubeadmapi.TokenDiscovery) error {
-	tokenID, err := RandBytes(TokenIDBytes)
+	tokenID, err := randBytes(TokenIDBytes)
 	if err != nil {
 		return err
 	}
 
-	token, err := RandBytes(TokenBytes)
+	token, err := randBytes(TokenSecretBytes)
 	if err != nil {
 		return err
 	}
@@ -68,7 +68,7 @@ func GenerateToken(d *kubeadmapi.TokenDiscovery) error {
 }
 
 var (
-	tokenRegexpString = "^([a-zA-Z0-9]{6})\\.([a-zA-Z0-9]{16})$"
+	tokenRegexpString = "^([a-zA-Z0-9]{6})\\:([a-zA-Z0-9]{16})$"
 	tokenRegexp       = regexp.MustCompile(tokenRegexpString)
 )
 
@@ -96,15 +96,16 @@ func ParseToken(s string) (string, string, error) {
 
 }
 
+// BearerToken returns a string representation of the passed token.
 func BearerToken(d *kubeadmapi.TokenDiscovery) string {
-	return fmt.Sprintf("%s.%s", d.ID, d.Secret)
+	return fmt.Sprintf("%s:%s", d.ID, d.Secret)
 }
 
 func IsTokenValid(d *kubeadmapi.TokenDiscovery) (bool, error) {
 	if len(d.ID)+len(d.Secret) == 0 {
 		return false, nil
 	}
-	if _, _, err := ParseToken(d.ID + "." + d.Secret); err != nil {
+	if _, _, err := ParseToken(d.ID + ":" + d.Secret); err != nil {
 		return false, err
 	}
 	return true, nil
diff --git a/cmd/kubeadm/app/util/tokens_test.go b/cmd/kubeadm/app/util/tokens_test.go
index b3c8906fa08..1dd547b16e1 100644
--- a/cmd/kubeadm/app/util/tokens_test.go
+++ b/cmd/kubeadm/app/util/tokens_test.go
@@ -22,17 +22,20 @@ import (
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 )
 
-func TestTokenParseErrors(t *testing.T) {
+func TestTokenParse(t *testing.T) {
 	invalidTokens := []string{
+		// invalid parcel size
 		"1234567890123456789012",
-		"12345.1234567890123456",
+		"12345:1234567890123456",
 		".1234567890123456",
-		"123456.1234567890.123456",
+		// invalid separation
+		"123456:1234567890.123456",
+		"abcdef.1234567890123456",
 	}
 
 	for _, token := range invalidTokens {
 		if _, _, err := ParseToken(token); err == nil {
-			t.Errorf("generateTokenIfNeeded did not return an error for this invalid token: [%s]", token)
+			t.Errorf("ParseToken did not return an error for this invalid token: [%s]", token)
 		}
 	}
 }
@@ -59,12 +62,12 @@ func TestRandBytes(t *testing.T) {
 	}
 
 	for _, rt := range randTest {
-		actual, err := RandBytes(rt)
+		actual, err := randBytes(rt)
 		if err != nil {
-			t.Errorf("failed RandBytes: %v", err)
+			t.Errorf("failed randBytes: %v", err)
 		}
 		if len(actual) != rt*2 {
-			t.Errorf("failed RandBytes:\n\texpected: %d\n\t  actual: %d\n", rt*2, len(actual))
+			t.Errorf("failed randBytes:\n\texpected: %d\n\t  actual: %d\n", rt*2, len(actual))
 		}
 	}
 }
diff --git a/cmd/kubeadm/test/token_test.go b/cmd/kubeadm/test/token_test.go
index 3f462403e55..5f08f7586fe 100644
--- a/cmd/kubeadm/test/token_test.go
+++ b/cmd/kubeadm/test/token_test.go
@@ -25,7 +25,7 @@ import (
 )
 
 const (
-	TokenExpectedRegex = "^\\S{6}\\.\\S{16}\n$"
+	TokenExpectedRegex = "^\\S{6}\\:\\S{16}\n$"
 )
 
 var kubeadmPath string