diff --git a/core/modules/user/lib/Drupal/user/Form/UserPasswordResetForm.php b/core/modules/user/lib/Drupal/user/Form/UserPasswordResetForm.php
new file mode 100644
index 0000000..988468b
--- /dev/null
+++ b/core/modules/user/lib/Drupal/user/Form/UserPasswordResetForm.php
@@ -0,0 +1,202 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\user\Form\UserPasswordResetForm.
+ */
+
+namespace Drupal\user\Form;
+
+use Drupal\Core\Controller\ControllerInterface;
+use Drupal\Core\Form\FormInterface;
+use Drupal\user\UserStorageControllerInterface;
+use Drupal\Core\Routing\PathBasedGeneratorInterface;
+use Drupal\Core\StringTranslation\TranslationManager;
+use Drupal\Core\Config\Config;
+use Drupal\Component\Utility\Crypt;
+use Drupal\Core\Datetime\Date;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+/**
+ * Form controller for the user password reset form.
+ */
+class UserPasswordResetForm implements FormInterface, ControllerInterface {
+
+  /**
+   * The user entity storage controller.
+   *
+   * @var \Drupal\user\UserStorageControllerInterface
+   */
+  protected $userStorageController;
+
+  /**
+   * The translation manager service.
+   *
+   * @var \Drupal\Core\StringTranslation\TranslationManager
+   */
+  protected $translationManager;
+
+  /**
+   * The URL generator service.
+   *
+   * @var \Drupal\Core\Routing\PathBasedGeneratorInterface
+   */
+  protected $urlGenerator;
+
+  /**
+   * The user settings config object.
+   *
+   * @var \Drupal\Core\Config\Config
+   */
+  protected $userConfig;
+
+  /**
+   * The date service.
+   *
+   * @var \Drupal\Core\Datetime\Date
+   */
+  protected $date;
+
+  /**
+   * Constructs a UserPasswordResetForm object.
+   *
+   * @param \Drupal\user\UserStorageControllerInterface $storage_controller
+   *   The user storage controller.
+   * @param \Drupal\Core\StringTranslation\TranslationManager $translation_manager
+   *   The translation manager service.
+   * @param \Drupal\Core\Routing\PathBasedGeneratorInterface $url_generator
+   *   The URL generator service.
+   * @param \Drupal\Core\Config\Config $user_config
+   *   The user settings config object.
+   * @param \Drupal\Core\Datetime\Date $date
+   *   The date service.
+   */
+  public function __construct(UserStorageControllerInterface $storage_controller, TranslationManager $translation_manager, PathBasedGeneratorInterface $url_generator, Config $user_config, Date $date) {
+    $this->userStorageController = $storage_controller;
+    $this->translationManager = $translation_manager;
+    $this->urlGenerator = $url_generator;
+    $this->userConfig = $user_config;
+    $this->date = $date;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container) {
+    return new static(
+      $container->get('plugin.manager.entity')->getStorageController('user'),
+      $container->get('string_translation'),
+      $container->get('url_generator'),
+      $container->get('config.factory')->get('user.settings'),
+      $container->get('date')
+    );
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getFormID() {
+    return 'user_pass_reset';
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function buildForm(array $form, array &$form_state, $uid = NULL, $timestamp = NULL, $hash = NULL, Request $request = NULL, $operation = 'confirm') {
+    $account = $request->attributes->get('_account');
+
+    // When processing the one-time login link, we have to make sure that a user
+    // isn't already logged in.
+    if ($account->isAuthenticated()) {
+      // The existing user is already logged in.
+      if ($account->id() == $uid) {
+        drupal_set_message($this->translationManager->translate('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array('%user' => $account->getUsername(), '!user_edit' => url("user/" . $account->id() . "/edit"))));
+      }
+      // A different user is already logged in on the computer.
+      else {
+        $reset_link_user = $this->userStorageController->load($uid);
+        if (!empty($reset_link_user)) {
+          drupal_set_message($this->translationManager->translate('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.',
+            array('%other_user' => $account->getUsername(), '%resetting_user' => $reset_link_user->getUsername(), '!logout' => $this->urlGenerator->generateFromPath('user/logout'))));
+        } else {
+          // Invalid one-time link specifies an unknown user.
+          drupal_set_message($this->translationManager->translate('The one-time login link you clicked is invalid.'));
+        }
+      }
+      return new RedirectResponse($this->urlGenerator->generateFromPath('<front>', array('absolute' => TRUE)));
+    }
+    else {
+      // Time out, in seconds, until login URL expires.
+      $timeout = $this->userConfig->get('password_reset_timeout');
+      $current = REQUEST_TIME;
+      $user = $this->userStorageController->load($uid);
+      // Verify that the user exists and is active.
+      if ($user->isActive()) {
+        // No time out for first time login.
+        if ($user->getLastLoginTime() && $current - $timestamp > $timeout) {
+          drupal_set_message($this->translationManager->translate('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
+          return new RedirectResponse($this->urlGenerator->generateFromPath('user/password', array('absolute' => TRUE)));
+        }
+        elseif ($user->isAuthenticated() && $timestamp >= $user->getLastLoginTime() && $timestamp <= $current && $hash == user_pass_rehash($user->getPassword(), $timestamp, $user->getLastLoginTime())) {
+          // First stage is a confirmation form, then login
+          if ($operation == 'login') {
+            // Set the new user.
+            // user_login_finalize() also updates the login timestamp of the
+            // user, which invalidates further use of the one-time login link.
+            user_login_finalize($user);
+            watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $user->getUsername(), '%timestamp' => $timestamp));
+            drupal_set_message($this->translationManager->translate('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
+            // Let the user's password be changed without the current password check.
+            $token = Crypt::randomStringHashed(55);
+            $_SESSION['pass_reset_' . $user->id()] = $token;
+            return new RedirectResponse($this->urlGenerator->generateFromPath('user/' . $user->id() . '/edit', array(
+              'query' => array('pass-reset-token' => $token),
+              'absolute' => TRUE,
+            )));
+          }
+          else {
+            if (!$user->getLastLoginTime()) {
+              // No expiration for first time login.
+              $form['message'] = array('#markup' => $this->translationManager->translate('<p>This is a one-time login for %user_name.</p><p>Click on this button to log in to the site and change your password.</p>', array('%user_name' => $user->getUsername())));
+            }
+            else {
+              $form['message'] = array('#markup' => $this->translationManager->translate('<p>This is a one-time login for %user_name and will expire on %expiration_date.</p><p>Click on this button to log in to the site and change your password.</p>', array('%user_name' => $user->getUsername(), '%expiration_date' => $this->date->format($timestamp + $timeout))));
+            }
+            $form['help'] = array('#markup' => '<p>' . $this->translationManager->translate('This login can be used only once.') . '</p>');
+            $form['actions'] = array('#type' => 'actions');
+            $form['actions']['submit'] = array('#type' => 'submit', '#value' => $this->translationManager->translate('Log in'));
+            $form['#action'] = $this->urlGenerator->generateFromPath("user/reset/$uid/$timestamp/$hash/login");
+            return $form;
+          }
+        }
+        else {
+          drupal_set_message($this->translationManager->translate('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
+          return new RedirectResponse($this->urlGenerator->generateFromPath('user/password', array('absolute' => TRUE)));
+        }
+      }
+      else {
+        // Deny access, no more clues.
+        // Everything will be in the watchdog's URL for the administrator to check.
+        throw new AccessDeniedHttpException();
+      }
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function validateForm(array &$form, array &$form_state) {
+
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function submitForm(array &$form, array &$form_state) {
+
+  }
+
+}
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 60da26c..89f8180 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -820,14 +820,6 @@ function user_menu() {
     'route_name' => 'user_pass',
     'type' => MENU_LOCAL_TASK,
   );
-  $items['user/reset/%/%/%'] = array(
-    'title' => 'Reset password',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('user_pass_reset', 2, 3, 4),
-    'access callback' => TRUE,
-    'type' => MENU_CALLBACK,
-    'file' => 'user.pages.inc',
-  );
 
   $items['user/logout'] = array(
     'title' => 'Log out',
diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index 04bd69c..7d7a219 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -12,89 +12,6 @@
 use Drupal\Component\Utility\Crypt;
 
 /**
- * Menu callback; process one time login link and redirects to the user page on success.
- */
-function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $action = NULL) {
-  global $user;
-
-  // When processing the one-time login link, we have to make sure that a user
-  // isn't already logged in.
-  if ($user->isAuthenticated()) {
-    // The existing user is already logged in.
-    if ($user->id() == $uid) {
-      drupal_set_message(t('You are logged in as %user. <a href="!user_edit">Change your password.</a>', array('%user' => $user->getUsername(), '!user_edit' => url("user/" . $user->id() . "/edit"))));
-    }
-    // A different user is already logged in on the computer.
-    else {
-      $reset_link_account = user_load($uid);
-      if (!empty($reset_link_account)) {
-        drupal_set_message(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.',
-          array('%other_user' => $user->getUsername(), '%resetting_user' => $reset_link_account->getUsername(), '!logout' => url('user/logout'))));
-      } else {
-        // Invalid one-time link specifies an unknown user.
-        drupal_set_message(t('The one-time login link you clicked is invalid.'));
-      }
-    }
-    return new RedirectResponse(url('<front>', array('absolute' => TRUE)));
-  }
-  else {
-    // Time out, in seconds, until login URL expires.
-    $timeout = config('user.settings')->get('password_reset_timeout');
-    $current = REQUEST_TIME;
-    $account = user_load($uid);
-    // Verify that the user exists and is active.
-    if ($timestamp <= $current && $account && $account->isActive()) {
-      // No time out for first time login.
-      if ($account->getLastLoginTime() && $current - $timestamp > $timeout) {
-        drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
-        return new RedirectResponse(url('user/password', array('absolute' => TRUE)));
-      }
-      elseif ($account->isAuthenticated() && $timestamp >= $account->getLastLoginTime() && $timestamp <= $current && $hashed_pass == user_pass_rehash($account->getPassword(), $timestamp, $account->getLastLoginTime())) {
-        // First stage is a confirmation form, then login
-        if ($action == 'login') {
-          // Set the new user.
-          // user_login_finalize() also updates the login timestamp of the
-          // user, which invalidates further use of the one-time login link.
-          user_login_finalize($account);
-          watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->getUsername(), '%timestamp' => $timestamp));
-          drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
-          // Let the user's password be changed without the current password check.
-          $token = Crypt::randomStringHashed(55);
-          $_SESSION['pass_reset_' . $user->id()] = $token;
-          return new RedirectResponse(url('user/' . $user->id() . '/edit', array(
-            'query' => array('pass-reset-token' => $token),
-            'absolute' => TRUE,
-          )));
-        }
-        else {
-          if (!$account->getLastLoginTime()) {
-            // No expiration for first time login.
-            $form['message'] = array('#markup' => t('<p>This is a one-time login for %user_name.</p><p>Click on this button to log in to the site and change your password.</p>', array('%user_name' => $account->getUsername())));
-          }
-          else {
-            $form['message'] = array('#markup' => t('<p>This is a one-time login for %user_name and will expire on %expiration_date.</p><p>Click on this button to log in to the site and change your password.</p>', array('%user_name' => $account->getUsername(), '%expiration_date' => format_date($timestamp + $timeout))));
-          }
-          $form['help'] = array('#markup' => '<p>' . t('This login can be used only once.') . '</p>');
-          $form['actions'] = array('#type' => 'actions');
-          $form['actions']['submit'] = array('#type' => 'submit', '#value' => t('Log in'));
-          $form['#action'] = url("user/reset/$uid/$timestamp/$hashed_pass/login");
-          return $form;
-        }
-      }
-      else {
-        drupal_set_message(t('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.'));
-        return new RedirectResponse(url('user/password', array('absolute' => TRUE)));
-      }
-    }
-    else {
-      // Deny access, no more clues.
-      // Everything will be in the watchdog's URL for the administrator to check.
-      throw new AccessDeniedHttpException();
-    }
-  }
-}
-
-/**
  * Prepares variables for user templates.
  *
  * Default template: user.html.twig.
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index 90570ea..c057998 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -89,6 +89,14 @@ user_pass:
   requirements:
     _access: 'TRUE'
 
+user_pass_reset:
+  pattern: '/user/reset/{uid}/{timestamp}/{hash}/{operation}'
+  defaults:
+    _form: '\Drupal\user\Form\UserPasswordResetForm'
+    operation: 'confirm'
+  requirements:
+    _access: 'TRUE'
+
 user_page:
   pattern: '/user'
   defaults: