diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 6d6a14dae..e868a57b8 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -22,6 +22,7 @@ Changelog
  * Add ability to filter image index by a tag (Benedikt Willi)
  * Add formal support for nested InlinePanels (Matt Westcott)
  * Added cache control headers when serving documents (Johannes Vogel)
+ * Use `sensitive_post_parameters` on password reset form (Dan Braghis)
  * Fix: Rename documents listing column 'uploaded' to 'created' (LB (Ben Johnston))
  * Fix: Submenu items longer then the page height are no longer broken by the submenu footer (Igor van Spengen)
  * Fix: Unbundle the l18n library as it was bundled to avoid installation errors which have been resolved (Matt Westcott)
diff --git a/docs/releases/2.8.rst b/docs/releases/2.8.rst
index 6943d1171..8f1cb7686 100644
--- a/docs/releases/2.8.rst
+++ b/docs/releases/2.8.rst
@@ -42,6 +42,7 @@ Other features
  * Add ability to filter image index by a tag (Benedikt Willi)
  * Add formal support for nested InlinePanels (Matt Westcott)
  * Added cache control headers when serving documents (Johannes Vogel)
+ * Use ``sensitive_post_parameters`` on password reset form (Dan Braghis)
 
 
 Bug fixes
diff --git a/wagtail/admin/tests/test_account_management.py b/wagtail/admin/tests/test_account_management.py
index bbd1572f1..622134d01 100644
--- a/wagtail/admin/tests/test_account_management.py
+++ b/wagtail/admin/tests/test_account_management.py
@@ -9,12 +9,13 @@ from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group, Permission
 from django.contrib.auth.tokens import PasswordResetTokenGenerator
 from django.core import mail
-from django.test import TestCase, override_settings
+from django.test import RequestFactory, TestCase, override_settings
 from django.urls import reverse
 from django.utils.translation import get_language
 
 from wagtail.admin.localization import (
     WAGTAILADMIN_PROVIDED_LANGUAGES, get_available_admin_languages, get_available_admin_time_zones)
+from wagtail.admin.views.account import change_password
 from wagtail.tests.utils import WagtailTestUtils
 from wagtail.users.models import UserProfile
 
@@ -872,3 +873,10 @@ class TestPasswordReset(TestCase, WagtailTestUtils):
         # Check that the user received a password reset complete page
         self.assertEqual(response.status_code, 200)
         self.assertTemplateUsed(response, 'wagtailadmin/account/password_reset/complete.html')
+
+    def test_password_reset_sensitive_post_parameters(self):
+        request = RequestFactory().post('wagtailadmin_password_reset_confirm', data={})
+        request.user = get_user_model().objects.get(username='test')
+        change_password(request)
+        self.assertTrue(hasattr(request, 'sensitive_post_parameters'))
+        self.assertEqual(request.sensitive_post_parameters, '__ALL__')
diff --git a/wagtail/admin/views/account.py b/wagtail/admin/views/account.py
index 12a6f1a1d..0041519a0 100644
--- a/wagtail/admin/views/account.py
+++ b/wagtail/admin/views/account.py
@@ -8,6 +8,7 @@ from django.shortcuts import redirect, render
 from django.urls import reverse, reverse_lazy
 from django.utils.translation import ugettext as _
 from django.utils.translation import override
+from django.views.decorators.debug import sensitive_post_parameters
 
 from wagtail.admin.forms.auth import LoginForm, PasswordResetForm
 from wagtail.core import hooks
@@ -56,6 +57,7 @@ def account(request):
     })
 
 
+@sensitive_post_parameters()
 def change_password(request):
     if not password_management_enabled():
         raise Http404