diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index d695968..86ffe9e 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -123,6 +123,10 @@ public function form(array $form, FormStateInterface $form_state) {
         $user_pass_reset = isset($_SESSION[$session_key]) && Crypt::hashEquals($_SESSION[$session_key], $token);
         $form_state->set('user_pass_reset', $user_pass_reset);
       }
+      else {
+        // If user is resetting password, then make sure that the password field is required.
+        $form['account']['pass']['#required'] = TRUE;
+      }
 
       // The user must enter their current password to change to a new one.
       if ($user->id() == $account->id()) {
diff --git a/core/modules/user/src/Tests/UserRegistrationTest.php b/core/modules/user/src/Tests/UserRegistrationTest.php
index ca7a4f0..18eefba 100644
--- a/core/modules/user/src/Tests/UserRegistrationTest.php
+++ b/core/modules/user/src/Tests/UserRegistrationTest.php
@@ -49,6 +49,17 @@ public function testRegistrationWithEmailVerification() {
     $resetURL = user_pass_reset_url($new_user);
     $this->drupalGet($resetURL);
     $this->assertTitle(t('Set password | Drupal'), 'Page title is "Set password".');
+    $this->drupalPostForm(NULL, [], t('Log in'));
+
+    // Attempt submitting the form without changing the password.
+    $this->drupalPostForm(NULL, [], t('Save'));
+    $this->assertText(t('Password field is required.'), 'Password required.');
+    // Now enter the password.
+    $password = user_password();
+    $edit = ['pass[pass1]' => $password, 'pass[pass2]' => $password];
+    $this->drupalPostForm(NULL, $edit, t('Save'));
+    $this->assertText(t('The changes have been saved.'), 'New user successfully set password.');
+    $this->drupalLogout();
 
     // Allow registration by site visitors, but require administrator approval.
     $config->set('register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL)->save();