diff --git a/core/modules/user/src/Form/UserPasswordResetForm.php b/core/modules/user/src/Form/UserPasswordResetForm.php
index 58f177f..a4d0dcd 100644
--- a/core/modules/user/src/Form/UserPasswordResetForm.php
+++ b/core/modules/user/src/Form/UserPasswordResetForm.php
@@ -109,6 +109,22 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
     // Let the user's password be changed without the current password check.
     $token = Crypt::randomBytesBase64(55);
     $_SESSION['pass_reset_' . $user->id()] = $token;
+
+    $flood_config = $this->config('user.flood');
+    if ($flood_config->get('uid_only')) {
+      // Register flood events based on the uid only, so they apply for any
+      // IP address. This is the most secure option.
+      $identifier = $user->id();
+    }
+    else {
+      // The default identifier is a combination of uid and IP address. This
+      // is less secure but more resistant to denial-of-service attacks that
+      // could lock out all users with public user names.
+      $identifier = $user->id() . '-' . $this->getRequest()->getClientIP();
+    }
+    \Drupal::flood()->clear('user.failed_login_ip');
+    \Drupal::flood()->clear('user.failed_login_user', $identifier);
+
     $form_state->setRedirect(
       'entity.user.edit_form',
       array('user' => $user->id()),