diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index c54bd4c..47174f4 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -113,8 +113,9 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
     drupal_goto();
   }
   else {
-    // Time out, in seconds, until login URL expires. 24 hours = 86400 seconds.
-    $timeout = 86400;
+    // Time out, in seconds, until login URL expires. If a timeout hasn't been
+    // set defaults to 24 hours = 86400 seconds.
+    $timeout = variable_get('user_password_reset_timeout', 86400);
     $current = REQUEST_TIME;
     // Some redundant checks for extra security ?
     $users = user_load_multiple(array($uid), array('status' => '1'));
diff --git a/core/modules/user/user.test b/core/modules/user/user.test
index 95b3cce..98d8016 100644
--- a/core/modules/user/user.test
+++ b/core/modules/user/user.test
@@ -439,6 +439,58 @@ class UserLoginTestCase extends DrupalWebTestCase {
 }
 
 /**
+ * Test resetting a user password.
+ */
+class UserPasswordResetTestCase extends DrupalWebTestCase {
+  protected $profile = 'standard';
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Reset password',
+      'description' => 'Ensure that password reset methods work as expected.',
+      'group' => 'User',
+    );
+  }
+
+  /**
+   * Tests password reset functionality.
+   */
+  function testUserPasswordReset() {
+    // Create a user.
+    $account = $this->drupalCreateUser();
+    $this->drupalLogin($account);
+    $this->drupalLogout();
+    // Attempt to reset password.
+    $edit = array('name' => $account->name);
+    $this->drupalPost('user/password', $edit, t('E-mail new password'));
+    // Confirm the password reset.
+    $this->assertText(t('Further instructions have been sent to your e-mail address.'), 'Password reset instructions mailed message displayed.');
+  }
+
+  /**
+   * Attempt expired password reset.
+   */
+  function testUserPasswordResetExpired() {
+    // Set password reset timeout variable to 259200 = 72 hours (3 days).
+    $timeout = 259200;
+    variable_set('user_password_reset_timeout', $timeout);
+
+    // Create a user.
+    $account = $this->drupalCreateUser();
+    $this->drupalLogin($account);
+    // Load real user object.
+    $account = user_load($account->uid, TRUE);
+    $this->drupalLogout();
+
+    // To attempt an expired password reset, create a password reset link as if
+    // its request time was 60 seconds older than the allowed limit of timeout.
+    $bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60;
+    $this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
+    $this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
+  }
+}
+
+/**
  * Test cancelling a user.
  */
 class UserCancelTestCase extends DrupalWebTestCase {