diff --git a/src/oauth2views/password_reset.ejs b/src/oauth2views/password_reset.ejs
index 9077e66bb..b1ffe05d7 100644
--- a/src/oauth2views/password_reset.ejs
+++ b/src/oauth2views/password_reset.ejs
@@ -20,6 +20,7 @@ app.controller('Controller', [function () {}]);
     <div class="row">
         <div class="col-md-6 col-md-offset-3">
             <form action="/api/v1/session/password/reset" method="post" name="resetForm" autocomplete="off" role="form" novalidate>
+                <input type="password" style="display: none;">
                 <input type="hidden" name="_csrf" value="<%= csrf %>"/>
                 <input type="hidden" name="resetToken" value="<%= resetToken %>"/>
 
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 92f045081..3c2dd116e 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -280,10 +280,10 @@ function renderAccountSetupSite(res, req, userObject, error) {
 
 // -> GET /api/v1/session/account/setup.html
 function accountSetupSite(req, res) {
-    if (!req.query.reset_token) return renderAccountSetupSite(res, req, {}, 'Missing Reset Token');
+    if (!req.query.reset_token) return sendError(res, req, 'Missing Reset Token');
 
     user.getByResetToken(req.query.reset_token, function (error, userObject) {
-        if (error) return renderAccountSetupSite(res, req, {}, 'Invalid Reset Token');
+        if (error) return sendError(res, req, 'Invalid Reset Token');
 
         renderAccountSetupSite(res, req, userObject, '');
     });
@@ -301,7 +301,7 @@ function accountSetup(req, res, next) {
     debug('acountSetup: with token %s.', req.body.resetToken);
 
     user.getByResetToken(req.body.resetToken, function (error, userObject) {
-        if (error) return renderAccountSetupSite(res, req, {}, 'Invalid Reset Token');
+        if (error) return sendError(res, req, 'Invalid Reset Token');
 
         userObject.username = req.body.username;
         userObject.displayName = req.body.displayName;