diff --git a/tests/__init__.py b/tests/__init__.py
index 48fb794..d2ea71c 100644
--- a/tests/__init__.py
+++ b/tests/__init__.py
@@ -101,16 +101,15 @@ def create_users(db):
         db.add(user)
 
 
-def set_deform_data(request, form_data, extra_data=None, **kwargs):
+def set_deform_data(request, form_data, modifyer=None):
     ''' augments the request to include post data as provided by deform '''
     post_dict = MultiDict()
     post_dict['__formid__'] = 'deform'
     post_dict['_charset_'] = 'UTF-8'
     post_dict['csrf_token'] = get_csrf_token(request)
     post_dict.update(form_data)
-    if extra_data:
-        post_dict.update(extra_data)
-    post_dict.update(kwargs)
+    if modifyer:
+        post_dict.update(modifyer)
     request.POST = post_dict
 
 
diff --git a/tests/_functional/reset_password.py b/tests/_functional/reset_password.py
index dc4a105..834973c 100644
--- a/tests/_functional/reset_password.py
+++ b/tests/_functional/reset_password.py
@@ -27,6 +27,7 @@ def test_reset_password(testapp):
     email = mailer.outbox[-1]
     assert email.subject == '[ordr] Password Reset'
 
+    # set a new password
     token_link = get_token_url(email)
     response = testapp.get(token_link)
     form = response.forms[1]
@@ -39,6 +40,18 @@ def test_reset_password(testapp):
     assert 'consider a longer password' in response
     assert 'Your password was changed' in response
 
+    # logging in with the old password should not work
+    response = testapp.get('/account/logout')
+    response = testapp.get('/account/login')
+    form = response.forms[1]
+    form['username'] = 'TerryGilliam'
+    form['password'] = 'Terry'
+    response = form.submit()
+    assert '<!-- user is logged in -->' not in response
+
+    # logging in with the old password should work
+    response = testapp.get('/account/logout')
+    response = testapp.get('/account/login')
     form = response.forms[1]
     form['username'] = 'TerryGilliam'
     form['password'] = 'Nudge Nudge'
diff --git a/tests/models/account.py b/tests/models/account.py
index b075dbc..bdf193b 100644
--- a/tests/models/account.py
+++ b/tests/models/account.py
@@ -151,8 +151,7 @@ def test_user_issue_token(app_config):
     request.registry.settings['token_expiry.change_email'] = 10
     user = get_user('user')
     payload = {'test-key': 'test-data'}
-    hash = user.issue_token(request, TokenSubject.CHANGE_EMAIL, payload)
-    token = user.tokens[0]
+    token = user.issue_token(request, TokenSubject.CHANGE_EMAIL, payload)
 
     expected_expires = datetime.utcnow() + timedelta(minutes=10)
     # one second drift is still considered ok
@@ -160,7 +159,6 @@ def test_user_issue_token(app_config):
         expected_expires.timestamp(),
         abs=1
         )
-    assert token.hash == hash
     assert token.owner == user
     assert token.payload == payload
     assert token.subject == TokenSubject.CHANGE_EMAIL
diff --git a/tests/resources/account.py b/tests/resources/account.py
index d4aa5d0..c8c3092 100644
--- a/tests/resources/account.py
+++ b/tests/resources/account.py
@@ -103,14 +103,14 @@ def test_account_resource_getitem_token_ok(app_config, dbsession):
     root = get_root_resource('user', dbsession=dbsession)
     user = root.request.user
     dbsession.add(user)
-    hash = user.issue_token(root.request, TokenSubject.CHANGE_EMAIL)
+    token = user.issue_token(root.request, TokenSubject.CHANGE_EMAIL)
     account = AccountResource(None, root)
-    resource = account[hash]
+    resource = account[token.hash]
 
     assert isinstance(resource, EmailVerificationToken)
-    assert resource.__name__ == hash
+    assert resource.__name__ == token.hash
     assert resource.__parent__ == account
-    assert resource.model.hash == hash
+    assert resource.model.hash == token.hash
     assert resource.model.owner == root.request.user
 
 
diff --git a/tests/views/account.py b/tests/views/account.py
index 64baa3b..472b60d 100644
--- a/tests/views/account.py
+++ b/tests/views/account.py
@@ -22,6 +22,13 @@ REGISTRATION_FORM_DATA = MultiDict([
     ('__end__', 'password:mapping'),
     ])
 
+PASSWORD_RESET_FORM_DATA = MultiDict([
+    ('__start__', 'password:mapping'),
+    ('password', 'Nudge'),
+    ('password-confirm', 'Nudge'),
+    ('__end__', 'password:mapping'),
+    ])
+
 
 @pytest.mark.parametrize('rolename', ['user', 'purchaser', 'admin'])
 def test_account_login_active_users(dbsession, rolename):
@@ -297,30 +304,28 @@ def test_reset_password_form():
     assert isinstance(result['form'], deform.Form)
 
 
-def reset_password_form_processing_ok():
+def test_reset_password_form_processing_ok(dbsession):
     ''' reset password form processing is ok '''
-    from ordr2.models.account import TokenSubject
+    from ordr2.models.account import Token, TokenSubject, User
     from ordr2.views.account import reset_password_form_processing
 
+    request = DummyRequest(dbsession=dbsession)
+    set_deform_data(request, REGISTRATION_FORM_DATA)
     account = get_user('user')
-    token = user.issue_token(request, TokenSubject.RESET_PASSWORD)
+    token = account.issue_token(request, TokenSubject.RESET_PASSWORD)
     dbsession.add(account)
     dbsession.flush()
     context = DummyResource(model=token)
-    request = DummyRequest(
-        dbsession=dbsession,
-        POST={'password': 'Nudge', 'password-confirmation': 'Nudge'}
-        )
     result = reset_password_form_processing(context, request)
 
     assert isinstance(result, HTTPFound)
-    assert result.location == 'http://example.com/account/login'
-    assert account.check_password('Nudge')
+    assert result.location == 'http://example.com//login'
+    assert account.check_password(REGISTRATION_FORM_DATA['password'])
     assert dbsession.query(Token).count() == 0
     assert dbsession.query(User).count() == 1
 
 
-def reset_password_form_processing_cancel():
+def test_reset_password_form_processing_cancel():
     ''' reset password form processing is canceled '''
     from ordr2.views.account import reset_password_form_processing
 
@@ -339,14 +344,13 @@ def reset_password_form_processing_cancel():
         ('', 'one is empty'),
         ]
     )
-def reset_password_form_processing_invalid(pw, confirm):
+def test_reset_password_form_processing_invalid(pw, confirm):
     ''' validation error in reset password form '''
     from ordr2.views.account import reset_password_form_processing
 
-    request = DummyRequest(
-        dbsession=dbsession,
-        POST={'password': pw, 'password-confirmation': confirm}
-        )
-    result = reset_password_form_processing(context, request)
+    request = DummyRequest(dbsession=dbsession)
+    modifier = {'password': pw, 'password-confim': confirm}
+    set_deform_data(request, REGISTRATION_FORM_DATA, modifier)
+    result = reset_password_form_processing(None, request)
 
     assert isinstance(result['form'], deform.Form)