diff --git a/lost.go b/lost.go
index 7afe093..8fbef23 100644
--- a/lost.go
+++ b/lost.go
@@ -49,6 +49,16 @@ func storeResetToken(token string, dn string) {
 	}
 }
 
+func peekResetToken(token string) bool {
+	resetTokenStore.mu.Lock()
+	defer resetTokenStore.mu.Unlock()
+	entry, ok := resetTokenStore.tokens[token]
+	if !ok || time.Now().After(entry.expiresAt) {
+		return false
+	}
+	return true
+}
+
 func consumeResetToken(token string) (string, bool) {
 	resetTokenStore.mu.Lock()
 	defer resetTokenStore.mu.Unlock()
diff --git a/reset.go b/reset.go
index a65c27c..143976e 100644
--- a/reset.go
+++ b/reset.go
@@ -22,6 +22,12 @@ func resetPassword(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if r.Method != "POST" {
+		if !peekResetToken(r.URL.Query().Get("t")) {
+			displayTmplError(w, http.StatusGone, "lost.html", map[string]any{
+				"error": "Token invalid or expired, please retry the lost password procedure. Tokens expire after 1 hour.",
+			})
+			return
+		}
 		csrfToken, err := setCSRFToken(w)
 		if err != nil {
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
diff --git a/static/reset.html b/static/reset.html
index 7cf48b1..379754c 100644
--- a/static/reset.html
+++ b/static/reset.html
@@ -1,8 +1,8 @@
 {{template "header" .}}
-  <h1 class="page-title">Forgot your password?</h1>
-  <p class="page-subtitle">Define a new one!</p>
+  <h1 class="page-title">Define your new password</h1>
+  <p class="page-subtitle">Choose a strong password to secure your account.</p>
 
-  <form method="post" action="reset">
+  <form method="post" action="reset?l={{ .login }}&t={{ .token }}">
     {{if .error}}<div class="alert alert-error" role="alert">{{.error}}</div>{{end}}
     <input type="hidden" name="csrf_token" value="{{ .csrf_token }}">
     <div class="form-field">