diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index d94d500..b157f1f 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -617,10 +617,9 @@ function user_cancel_url(UserInterface $account, $options = array()) {
  * This hash is normally used to build a unique and secure URL that is sent to
  * the user by email for purposes such as resetting the user's password. In
  * order to validate the URL, the same hash can be generated again, from the
- * same information, and compared to the hash value from the URL. The URL
- * normally contains the time stamp, the numeric user ID, and the user's email
- * address. The login timestamp and hashed password are retrieved from the
- * database as necessary.
+ * same information, and compared to the hash value from the URL. The hash
+ * contains the time stamp, the user's last login time, the numeric user ID,
+ * and the user's email address.
  * For a usage example, see user_cancel_url() and
  * \Drupal\user\Controller\UserController::confirmCancel().
  *
@@ -633,14 +632,11 @@ function user_cancel_url(UserInterface $account, $options = array()) {
  *   A string that is safe for use in URLs and SQL statements.
  */
 function user_pass_rehash(UserInterface $account, $timestamp) {
-  // Build $data to include unique elements in this token.
   $data = $timestamp;
   $data .= $account->getLastLoginTime();
   $data .= $account->id();
   $data .= $account->getEmail();
-  $key = Settings::getHashSalt();
-  $key .= $account->getPassword();
-  return Crypt::hmacBase64($data, $key);
+  return Crypt::hmacBase64($data, Settings::getHashSalt() . $account->getPassword());
 }
 
 /**