diff --git a/app/assets/stylesheets/main.scss b/app/assets/stylesheets/main.scss
index 9beb5dd10..7a0a95feb 100644
--- a/app/assets/stylesheets/main.scss
+++ b/app/assets/stylesheets/main.scss
@@ -20,6 +20,7 @@
 @import '../govuk_elements/public/sass/elements/details';
 @import '../govuk_elements/public/sass/elements/elements-typography';
 @import '../govuk_elements/public/sass/elements/forms';
+@import '../govuk_elements/public/sass/elements/forms/form-validation';
 @import '../govuk_elements/public/sass/elements/forms/form-block-labels';
 @import '../govuk_elements/public/sass/elements/icons';
 @import '../govuk_elements/public/sass/elements/layout';
diff --git a/app/main/__init__.py b/app/main/__init__.py
index 9354e06db..3d3ab5cde 100644
--- a/app/main/__init__.py
+++ b/app/main/__init__.py
@@ -2,8 +2,7 @@ from flask import Blueprint
 
 main = Blueprint('main', __name__)
 
-
 from app.main.views import (
     index, sign_in, sign_out, register, two_factor, verify, sms, add_service,
-    code_not_received, jobs, dashboard, templates, service_settings
+    code_not_received, jobs, dashboard, templates, service_settings, forgot_password, new_password
 )
diff --git a/app/main/dao/users_dao.py b/app/main/dao/users_dao.py
index ea065e9d6..f45d2a95d 100644
--- a/app/main/dao/users_dao.py
+++ b/app/main/dao/users_dao.py
@@ -1,3 +1,7 @@
+from datetime import datetime
+
+from sqlalchemy.orm import load_only
+
 from app import db, login_manager
 from app.models import User
 from app.main.encryption import hashpw
@@ -53,3 +57,18 @@ def update_mobile_number(id, mobile_number):
     user.mobile_number = mobile_number
     db.session.add(user)
     db.session.commit()
+
+
+def update_password(user, password):
+    user.password = hashpw(password)
+    user.password_changed_at = datetime.now()
+    user.state = 'active'
+    db.session.add(user)
+    db.session.commit()
+
+
+def request_password_reset(email):
+    user = get_user_by_email(email)
+    user.state = 'request_password_reset'
+    db.session.add(user)
+    db.session.commit()
diff --git a/app/main/exceptions.py b/app/main/exceptions.py
deleted file mode 100644
index 45f0515c0..000000000
--- a/app/main/exceptions.py
+++ /dev/null
@@ -1,5 +0,0 @@
-
-
-class AdminApiClientException(Exception):
-    def __init__(self, message):
-        self.value = message
diff --git a/app/main/forms.py b/app/main/forms.py
index 5b7230477..e06595ba4 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -1,67 +1,79 @@
-from datetime import datetime
-
 from flask_wtf import Form
 from wtforms import StringField, PasswordField, ValidationError
 from wtforms.validators import DataRequired, Email, Length, Regexp
-from app.main.dao import verify_codes_dao
-from app.main.encryption import check_hash
 from app.main.validators import Blacklist, ValidateUserCodes
 
 
+def email_address():
+    gov_uk_email \
+        = "(^[^@^\\s]+@[^@^\\.^\\s]+(\\.[^@^\\.^\\s]*)*.gov.uk)"
+    return StringField('Email address', validators=[
+        Length(min=5, max=255),
+        DataRequired(message='Email cannot be empty'),
+        Email(message='Enter a valid email address'),
+        Regexp(regex=gov_uk_email, message='Enter a gov.uk email address')])
+
+
+def mobile_number():
+    mobile_number_regex = "^\\+44[\\d]{10}$"
+    return StringField('Mobile phone number',
+                       validators=[DataRequired(message='Mobile number can not be empty'),
+                                   Regexp(regex=mobile_number_regex, message='Enter a +44 mobile number')])
+
+
+def password():
+    return PasswordField('Create a password',
+                         validators=[DataRequired(message='Password can not be empty'),
+                                     Length(10, 255, message='Password must be at least 10 characters'),
+                                     Blacklist(message='That password is blacklisted, too common')])
+
+
+def sms_code():
+    verify_code = '^\d{5}$'
+    return StringField('Text message confirmation code',
+                       validators=[DataRequired(message='Text message confirmation code can not be empty'),
+                                   Regexp(regex=verify_code,
+                                          message='Text message confirmation code must be 5 digits'),
+                                   ValidateUserCodes(code_type='sms')])
+
+
+def email_code():
+    verify_code = '^\d{5}$'
+    return StringField("Email confirmation code",
+                       validators=[DataRequired(message='Email confirmation code can not be empty'),
+                                   Regexp(regex=verify_code, message='Email confirmation code must be 5 digits'),
+                                   ValidateUserCodes(code_type='email')])
+
+
 class LoginForm(Form):
     email_address = StringField('Email address', validators=[
         Length(min=5, max=255),
         DataRequired(message='Email cannot be empty'),
-        Email(message='Please enter a valid email address')
+        Email(message='Enter a valid email address')
     ])
     password = PasswordField('Password', validators=[
-        DataRequired(message='Please enter your password')
+        DataRequired(message='Enter your password')
     ])
 
 
-gov_uk_email = "(^[^@^\\s]+@[^@^\\.^\\s]+(\\.[^@^\\.^\\s]*)*.gov.uk)"
-mobile_number = "^\\+44[\\d]{10}$"
-verify_code = '^\d{5}$'
-
-
 class RegisterUserForm(Form):
-
-    def __init__(self, existing_email_addresses, existing_mobile_numbers, *args, **kwargs):
+    def __init__(self, existing_email_addresses, *args, **kwargs):
         self.existing_emails = existing_email_addresses
-        self.existing_mobiles = existing_mobile_numbers
         super(RegisterUserForm, self).__init__(*args, **kwargs)
 
     name = StringField('Full name',
                        validators=[DataRequired(message='Name can not be empty')])
-    email_address = StringField('Email address', validators=[
-        Length(min=5, max=255),
-        DataRequired(message='Email cannot be empty'),
-        Email(message='Please enter a valid email address'),
-        Regexp(regex=gov_uk_email, message='Please enter a gov.uk email address')
-    ])
-    mobile_number = StringField('Mobile phone number',
-                                validators=[DataRequired(message='Please enter your mobile number'),
-                                            Regexp(regex=mobile_number, message='Please enter a +44 mobile number')])
-    password = PasswordField('Create a password',
-                             validators=[DataRequired(message='Please enter your password'),
-                                         Length(10, 255, message='Password must be at least 10 characters'),
-                                         Blacklist(message='That password is blacklisted, too common')])
+    email_address = email_address()
+    mobile_number = mobile_number()
+    password = password()
 
     def validate_email_address(self, field):
         # Validate email address is unique.
-        if field.data in self.existing_emails:
+        if self.existing_emails(field.data):
             raise ValidationError('Email address already exists')
 
-    def validate_mobile_number(self, field):
-        # Validate mobile number is unique
-        # Code to re-added later
-        # if field.data in self.existing_mobiles:
-        #    raise ValidationError('Mobile number already exists')
-        pass
-
 
 class TwoFactorForm(Form):
-
     def __init__(self, user_codes, *args, **kwargs):
         '''
         Keyword arguments:
@@ -71,13 +83,10 @@ class TwoFactorForm(Form):
         self.user_codes = user_codes
         super(TwoFactorForm, self).__init__(*args, **kwargs)
 
-    sms_code = StringField('sms code', validators=[DataRequired(message='Enter verification code'),
-                                                   Regexp(regex=verify_code, message='Code must be 5 digits'),
-                                                   ValidateUserCodes(code_type='sms')])
+    sms_code = sms_code()
 
 
 class VerifyForm(Form):
-
     def __init__(self, user_codes, *args, **kwargs):
         '''
         Keyword arguments:
@@ -87,29 +96,16 @@ class VerifyForm(Form):
         self.user_codes = user_codes
         super(VerifyForm, self).__init__(*args, **kwargs)
 
-    sms_code = StringField("Text message confirmation code",
-                           validators=[DataRequired(message='SMS code can not be empty'),
-                                       Regexp(regex=verify_code, message='Code must be 5 digits'),
-                                       ValidateUserCodes(code_type='sms')])
-    email_code = StringField("Email confirmation code",
-                             validators=[DataRequired(message='Email code can not be empty'),
-                                         Regexp(regex=verify_code, message='Code must be 5 digits'),
-                                         ValidateUserCodes(code_type='email')])
+    sms_code = sms_code()
+    email_code = email_code()
 
 
 class EmailNotReceivedForm(Form):
-    email_address = StringField('Email address', validators=[
-        Length(min=5, max=255),
-        DataRequired(message='Email cannot be empty'),
-        Email(message='Please enter a valid email address'),
-        Regexp(regex=gov_uk_email, message='Please enter a gov.uk email address')
-    ])
+    email_address = email_address()
 
 
 class TextNotReceivedForm(Form):
-    mobile_number = StringField('Mobile phone number', validators=[
-        DataRequired(message='Please enter your mobile number'),
-        Regexp(regex=mobile_number, message='Please enter a +44 mobile number')])
+    mobile_number = mobile_number()
 
 
 class AddServiceForm(Form):
@@ -118,8 +114,16 @@ class AddServiceForm(Form):
         super(AddServiceForm, self).__init__(*args, **kwargs)
 
     service_name = StringField(validators=[
-        DataRequired(message='Please enter your service name')])
+        DataRequired(message='Service name can not be empty')])
 
     def validate_service_name(self, a):
         if self.service_name.data in self.service_names:
             raise ValidationError('Service name already exists')
+
+
+class ForgotPasswordForm(Form):
+    email_address = email_address()
+
+
+class NewPasswordForm(Form):
+    new_password = password()
diff --git a/app/main/views/__init__.py b/app/main/views/__init__.py
index e092ba59c..a76b4feb4 100644
--- a/app/main/views/__init__.py
+++ b/app/main/views/__init__.py
@@ -1,6 +1,8 @@
 from random import randint
+
+from flask import url_for, current_app
+
 from app import admin_api_client
-from app.main.exceptions import AdminApiClientException
 from app.main.dao import verify_codes_dao
 
 
@@ -10,24 +12,43 @@ def create_verify_code():
 
 def send_sms_code(user_id, mobile_number):
     sms_code = create_verify_code()
-    try:
-        verify_codes_dao.add_code(user_id=user_id, code=sms_code, code_type='sms')
-        admin_api_client.send_sms(mobile_number=mobile_number, message=sms_code, token=admin_api_client.auth_token)
-    except:
-        raise AdminApiClientException('Exception when sending sms.')
+    verify_codes_dao.add_code(user_id=user_id, code=sms_code, code_type='sms')
+    admin_api_client.send_sms(mobile_number=mobile_number, message=sms_code, token=admin_api_client.auth_token)
+
     return sms_code
 
 
 def send_email_code(user_id, email):
     email_code = create_verify_code()
-    try:
-        verify_codes_dao.add_code(user_id=user_id, code=email_code, code_type='email')
-        admin_api_client.send_email(email_address=email,
-                                    from_str='notify@digital.cabinet-office.gov.uk',
-                                    message=email_code,
-                                    subject='Verification code',
-                                    token=admin_api_client.auth_token)
-    except:
-        raise AdminApiClientException('Exception when sending email.')
-
+    verify_codes_dao.add_code(user_id=user_id, code=email_code, code_type='email')
+    admin_api_client.send_email(email_address=email,
+                                from_str='notify@digital.cabinet-office.gov.uk',
+                                message=email_code,
+                                subject='Verification code',
+                                token=admin_api_client.auth_token)
     return email_code
+
+
+def send_change_password_email(email):
+    link_to_change_password = url_for('.new_password', token=generate_token(email), _external=True)
+    admin_api_client.send_email(email_address=email,
+                                from_str='notify@digital.cabinet-office.gov.uk',
+                                message=link_to_change_password,
+                                subject='Reset password for GOV.UK Notify',
+                                token=admin_api_client.auth_token)
+
+
+def generate_token(email):
+    from itsdangerous import TimestampSigner
+    signer = TimestampSigner(current_app.config['SECRET_KEY'])
+    return signer.sign(email).decode('utf8')
+
+
+def check_token(token):
+    from itsdangerous import TimestampSigner, SignatureExpired
+    signer = TimestampSigner(current_app.config['SECRET_KEY'])
+    try:
+        email = signer.unsign(token, max_age=current_app.config['TOKEN_MAX_AGE_SECONDS'])
+        return email
+    except SignatureExpired as e:
+        current_app.logger.info('token expired %s' % e)
diff --git a/app/main/views/forgot_password.py b/app/main/views/forgot_password.py
new file mode 100644
index 000000000..0e5c81bda
--- /dev/null
+++ b/app/main/views/forgot_password.py
@@ -0,0 +1,19 @@
+from flask import render_template, flash, current_app
+from app.main import main
+from app.main.dao import users_dao
+from app.main.forms import ForgotPasswordForm
+from app.main.views import send_change_password_email
+
+
+@main.route('/forgot-password', methods=['GET', 'POST'])
+def forgot_password():
+    form = ForgotPasswordForm()
+    if form.validate_on_submit():
+        if users_dao.get_user_by_email(form.email_address.data):
+            users_dao.request_password_reset(form.email_address.data)
+            send_change_password_email(form.email_address.data)
+            return render_template('views/password-reset-sent.html')
+        else:
+            current_app.logger.info('The email address used does not exist.')
+    else:
+        return render_template('views/forgot-password.html', form=form)
diff --git a/app/main/views/index.py b/app/main/views/index.py
index dec87cf89..777dfa789 100644
--- a/app/main/views/index.py
+++ b/app/main/views/index.py
@@ -1,6 +1,4 @@
 from flask import render_template
-from flask_login import login_required
-
 from app.main import main
 
 
@@ -34,16 +32,6 @@ def checkemail():
     return render_template('views/check-email.html')
 
 
-@main.route("/forgot-password")
-def forgotpassword():
-    return render_template('views/forgot-password.html')
-
-
-@main.route("/new-password")
-def newpassword():
-    return render_template('views/new-password.html')
-
-
 @main.route("/user-profile")
 def userprofile():
     return render_template('views/user-profile.html')
@@ -59,6 +47,11 @@ def apikeys():
     return render_template('views/api-keys.html')
 
 
-@main.route("/verification-not-received")
-def verificationnotreceived():
-    return render_template('views/verification-not-received.html')
+@main.route("/manage-templates")
+def managetemplates():
+    return render_template('views/manage-templates.html')
+
+
+@main.route("/edit-template")
+def edittemplate():
+    return render_template('views/edit-template.html')
diff --git a/app/main/views/new_password.py b/app/main/views/new_password.py
new file mode 100644
index 000000000..c1b0e1e04
--- /dev/null
+++ b/app/main/views/new_password.py
@@ -0,0 +1,28 @@
+from flask import (render_template, url_for, redirect, flash)
+
+from app.main import main
+from app.main.dao import users_dao
+from app.main.forms import NewPasswordForm
+from app.main.views import send_sms_code, check_token
+
+
+@main.route('/new-password/<path:token>', methods=['GET', 'POST'])
+def new_password(token):
+    email_address = check_token(token)
+    if not email_address:
+        flash('The link in the email we sent you has expired. Enter your email address to resend.')
+        return redirect(url_for('.forgot_password'))
+
+    user = users_dao.get_user_by_email(email_address=email_address.decode('utf-8'))
+    if user and user.state != 'request_password_reset':
+        flash('The link in the email we sent you has already been used.')
+        return redirect(url_for('.index'))
+
+    form = NewPasswordForm()
+
+    if form.validate_on_submit():
+        users_dao.update_password(user, form.new_password.data)
+        send_sms_code(user.id, user.mobile_number)
+        return redirect(url_for('main.two_factor'))
+    else:
+        return render_template('views/new-password.html', token=token, form=form, user=user)
diff --git a/app/main/views/register.py b/app/main/views/register.py
index 2e1c7f309..9eef37a4a 100644
--- a/app/main/views/register.py
+++ b/app/main/views/register.py
@@ -1,12 +1,9 @@
 from datetime import datetime, timedelta
 
-from flask import render_template, redirect, jsonify, session
-from sqlalchemy.exc import SQLAlchemyError
+from flask import render_template, redirect, session
 
 from app.main import main
 from app.main.dao import users_dao
-from app.main.encryption import hashpw
-from app.main.exceptions import AdminApiClientException
 from app.main.forms import RegisterUserForm
 from app.main.views import send_sms_code, send_email_code
 from app.models import User
@@ -15,16 +12,8 @@ from app.models import User
 # TODO how do we handle duplicate unverifed email addresses?
 # malicious or otherwise.
 @main.route('/register', methods=['GET', 'POST'])
-def process_register():
-    try:
-        existing_emails, existing_mobiles = zip(
-            *[(x.email_address, x.mobile_number) for x in
-                users_dao.get_all_users()])
-    except ValueError:
-        # Value error is raised if the db is empty.
-        existing_emails, existing_mobiles = [], []
-
-    form = RegisterUserForm(existing_emails, existing_mobiles)
+def register():
+    form = RegisterUserForm(users_dao.get_user_by_email)
 
     if form.validate_on_submit():
         user = User(name=form.name.data,
diff --git a/app/main/views/sign_out.py b/app/main/views/sign_out.py
index d734916c8..fe1e47329 100644
--- a/app/main/views/sign_out.py
+++ b/app/main/views/sign_out.py
@@ -9,4 +9,4 @@ from app.main import main
 @login_required
 def sign_out():
     logout_user()
-    return redirect(url_for('main.sign_in'))
+    return redirect(url_for('main.index'))
diff --git a/app/templates/admin_template.html b/app/templates/admin_template.html
index 4613ca442..a03e47612 100644
--- a/app/templates/admin_template.html
+++ b/app/templates/admin_template.html
@@ -43,6 +43,7 @@
   </div>
 {% endblock %}
 
+
 {% set global_header_text = "GOV.UK Notify" %}
 
 
@@ -53,9 +54,20 @@
 {% endif %}
 
 {% block content %}
-  <main id="content" role="main" class="page-container">
+<main id="content" role="main" class="page-container">
+    {% with messages = get_flashed_messages() %}
+    {% if messages %}
+    <div class="error-summary">
+        <ul>
+            {% for message in messages %}
+            <li>{{ message }}</li>
+            {% endfor %}
+        </ul>
+    </div>
+    {% endif %}
+    {% endwith %}
     {% block fullwidth_content %}{% endblock %}
-  </main>
+</main>
 {% endblock %}
 
 {% block body_end %}
diff --git a/app/templates/components/form-field.html b/app/templates/components/form-field.html
index 643099498..691b4c579 100644
--- a/app/templates/components/form-field.html
+++ b/app/templates/components/form-field.html
@@ -2,7 +2,7 @@
   <dt>{{ field.label }}
   <dd>{{ field(**kwargs)|safe }}
   {% if field.errors %}
-    <ul class=error-summary>
+    <ul class=error>
     {% for error in field.errors %}
       <li>{{ error }}</li>
     {% endfor %}
diff --git a/app/templates/views/forgot-password.html b/app/templates/views/forgot-password.html
index 5ca218fb4..4d36f2a86 100644
--- a/app/templates/views/forgot-password.html
+++ b/app/templates/views/forgot-password.html
@@ -12,15 +12,13 @@ GOV.UK Notify
 
     <p>If you have forgotten your password, we can send you an email to create a new password.</p>
 
+    <form autocomplete="off" action="" method="post">
+	  {{ form.hidden_tag() }}
+	  {{ render_field(form.email_address, class='form-control-2-3') }}
       <p>
-      <label class="form-label" for="email">Email address</label>
-      <input class="form-control" id="email" type="text" value="">
-      </p>
-
-
-      <p>
-      <a class="button" href="sign-in" role="button">Send email</a>
+      <button class="button" role="button">Send email</button>
       </p>
+    </form>
   </div>
 </div>
 
diff --git a/app/templates/views/new-password.html b/app/templates/views/new-password.html
index a1e312642..580325410 100644
--- a/app/templates/views/new-password.html
+++ b/app/templates/views/new-password.html
@@ -8,19 +8,26 @@ GOV.UK Notify
 
 <div class="grid-row">
 	<div class="column-two-thirds">
+		{% if user %}
 		<h1 class="heading-xlarge">Create a new password</h1>
 
 		<p> You can now create a new password for your account.</p>
 
-  		<p>
-  		<label class="form-label" for="password">Create a password</label>
-  		<input class="form-control-1-4" id="password" type="password"> <br>
+		<form action="" autocomplete="off" method="post">
+			{{ form.hidden_tag() }}
+		<p>
+  		  {{ render_field(form.new_password, class="form-control-1-4", type="password") }}
   		<span class="font-xsmall">Your password must have at least 10 characters</span>
   		</p>
 
   		<p>
-  		<a class="button" href="two-factor" role="button">Continue</a>
+  		<button class="button" role="button">Continue</button>
   		</p>
+
+		</form>
+		{% else %}
+			Message about email address does not exist. Some one needs to figure out the words here.
+		{% endif %}
 	</div>
 </div>
 
diff --git a/app/templates/views/password-reset-sent.html b/app/templates/views/password-reset-sent.html
new file mode 100644
index 000000000..6d12e559c
--- /dev/null
+++ b/app/templates/views/password-reset-sent.html
@@ -0,0 +1,18 @@
+{% extends "admin_template.html" %}
+
+{% block page_title %}
+GOV.UK Notify |
+{% endblock %}
+
+{% block fullwidth_content %}
+
+<div class="grid-row">
+	<div class="column-two-thirds">
+		<h1 class="heading-xlarge">GOV.UK Notify</h1>
+
+		<p>You have been sent an email containing a link to reset your password.</p>
+
+	</div>
+</div>
+
+{% endblock %}
diff --git a/app/templates/views/signin.html b/app/templates/views/signin.html
index a399f0196..870b61755 100644
--- a/app/templates/views/signin.html
+++ b/app/templates/views/signin.html
@@ -18,7 +18,7 @@ Sign in
 			{{ render_field(form.email_address, class='form-control-2-3') }}
 			{{ render_field(form.password, class='form-control-2-3') }}
 			<p>
-			<span class="font-xsmall"><a href="">Forgotten password?</a></span>
+			<span class="font-xsmall"><a href="{{url_for('main.forgot_password')}}">Forgotten password?</a></span>
 			</p>
 			{{ page_footer("Continue") }}
 		</form>
diff --git a/config.py b/config.py
index d53cf17f9..0f03f3792 100644
--- a/config.py
+++ b/config.py
@@ -29,6 +29,7 @@ class Config(object):
     SECRET_KEY = 'secret-key'
     HTTP_PROTOCOL = 'http'
     DANGEROUS_SALT = 'itsdangeroussalt'
+    TOKEN_MAX_AGE_SECONDS = 120000
 
 
 class Development(Config):
diff --git a/tests/app/main/dao/test_users_dao.py b/tests/app/main/dao/test_users_dao.py
index 75affe58d..885d9ab34 100644
--- a/tests/app/main/dao/test_users_dao.py
+++ b/tests/app/main/dao/test_users_dao.py
@@ -1,8 +1,7 @@
 from datetime import datetime
-
 import pytest
 import sqlalchemy
-
+from app.main.encryption import check_hash
 from app.models import User
 from app.main.dao import users_dao
 
@@ -161,3 +160,61 @@ def test_should_update_email_address(notifications_admin, notifications_admin_db
     users_dao.update_email_address(user.id, 'new_email@testit.gov.uk')
     updated = users_dao.get_user_by_id(user.id)
     assert updated.email_address == 'new_email@testit.gov.uk'
+
+
+def test_should_update_password(notifications_admin, notifications_admin_db, notify_db_session):
+    user = User(name='Update Email',
+                password='somepassword',
+                email_address='test@it.gov.uk',
+                mobile_number='+441234123412',
+                created_at=datetime.now(),
+                role_id=1,
+                state='active')
+    start = datetime.now()
+    users_dao.insert_user(user)
+
+    saved = users_dao.get_user_by_id(user.id)
+    assert check_hash('somepassword', saved.password)
+    assert saved.password_changed_at is None
+    users_dao.update_password(saved, 'newpassword')
+    updated = users_dao.get_user_by_id(user.id)
+    assert check_hash('newpassword', updated.password)
+    assert updated.password_changed_at < datetime.now()
+    assert updated.password_changed_at > start
+
+
+def test_should_return_list_of_all_email_addresses(notifications_admin, notifications_admin_db, notify_db_session):
+    first = User(name='First Person',
+                 password='somepassword',
+                 email_address='first@it.gov.uk',
+                 mobile_number='+441234123412',
+                 created_at=datetime.now(),
+                 role_id=1,
+                 state='active')
+    second = User(name='Second Person',
+                  password='somepassword',
+                  email_address='second@it.gov.uk',
+                  mobile_number='+441234123412',
+                  created_at=datetime.now(),
+                  role_id=1,
+                  state='active')
+    users_dao.insert_user(first)
+    users_dao.insert_user(second)
+
+    email_addresses = users_dao.get_all_users()
+    expected = [first.email_address, second.email_address]
+    assert expected == [x.email_address for x in email_addresses]
+
+
+def test_should_update_state_to_request_password_reset(notifications_admin, notifications_admin_db, notify_db_session):
+    user = User(name='Requesting Password Resest',
+                password='somepassword',
+                email_address='request@new_password.gov.uk',
+                mobile_number='+441234123412',
+                created_at=datetime.now(),
+                role_id=1,
+                state='active')
+    users_dao.insert_user(user)
+    users_dao.request_password_reset(user.email_address)
+    saved = users_dao.get_user_by_email(user.email_address)
+    assert saved.state == 'request_password_reset'
diff --git a/tests/app/main/test_validators.py b/tests/app/main/test_validators.py
index d85159f51..512f0350a 100644
--- a/tests/app/main/test_validators.py
+++ b/tests/app/main/test_validators.py
@@ -1,10 +1,9 @@
-from pytest import fail
-
+from app.main.dao import users_dao
 from app.main.forms import RegisterUserForm
 
 
 def test_should_raise_validation_error_for_password(notifications_admin):
-    form = RegisterUserForm([], [])
+    form = RegisterUserForm(users_dao.get_user_by_email)
     form.name.data = 'test'
     form.email_address.data = 'teset@example.gov.uk'
     form.mobile_number.data = '+441231231231'
diff --git a/tests/app/main/views/test_add_service.py b/tests/app/main/views/test_add_service.py
index 5f199ac63..02506ace3 100644
--- a/tests/app/main/views/test_add_service.py
+++ b/tests/app/main/views/test_add_service.py
@@ -39,4 +39,4 @@ def test_should_return_form_errors_when_service_name_is_empty(notifications_admi
             client.post('/two-factor', data={'sms_code': '12345'})
             response = client.post('/add-service', data={})
             assert response.status_code == 200
-            assert 'Please enter your service name' in response.get_data(as_text=True)
+            assert 'Service name can not be empty' in response.get_data(as_text=True)
diff --git a/tests/app/main/views/test_forgot_password.py b/tests/app/main/views/test_forgot_password.py
new file mode 100644
index 000000000..c7dac0177
--- /dev/null
+++ b/tests/app/main/views/test_forgot_password.py
@@ -0,0 +1,41 @@
+from flask import url_for
+
+from app.main.dao import users_dao
+from app.main.views import generate_token
+from tests.app.main import create_test_user
+
+
+def test_should_render_forgot_password(notifications_admin, notifications_admin_db, notify_db_session):
+    response = notifications_admin.test_client().get('/forgot-password')
+    assert response.status_code == 200
+    assert 'If you have forgotten your password, we can send you an email to create a new password.' \
+           in response.get_data(as_text=True)
+
+
+def test_should_redirect_to_password_reset_sent_and_state_updated(notifications_admin,
+                                                                  notifications_admin_db,
+                                                                  mocker,
+                                                                  notify_db_session):
+    mocker.patch("app.admin_api_client.send_email")
+    user = create_test_user('active')
+    response = notifications_admin.test_client().post('/forgot-password',
+                                                      data={'email_address': user.email_address})
+    assert response.status_code == 200
+    assert 'You have been sent an email containing a link to reset your password.' in response.get_data(
+        as_text=True)
+    assert users_dao.get_user_by_id(user.id).state == 'request_password_reset'
+
+
+def test_should_redirect_to_forgot_password_with_flash_message_when_token_is_expired(notifications_admin,
+                                                                                     notifications_admin_db,
+                                                                                     notify_db_session):
+    with notifications_admin.test_request_context():
+        with notifications_admin.test_client() as client:
+            notifications_admin.config['TOKEN_MAX_AGE_SECONDS'] = -1000
+            user = create_test_user('active')
+            token = generate_token(user.email_address)
+        response = client.post('/new-password/{}'.format(token),
+                               data={'new_password': 'a-new_password'})
+        assert response.status_code == 302
+        assert response.location == url_for('.forgot_password', _external=True)
+        notifications_admin.config['TOKEN_MAX_AGE_SECONDS'] = 86400
diff --git a/tests/app/main/views/test_new_password.py b/tests/app/main/views/test_new_password.py
new file mode 100644
index 000000000..4f1aeba6b
--- /dev/null
+++ b/tests/app/main/views/test_new_password.py
@@ -0,0 +1,75 @@
+from flask import url_for
+
+from app.main.dao import users_dao
+from app.main.encryption import check_hash
+from app.main.views import generate_token
+from tests.app.main import create_test_user
+
+
+def test_should_render_new_password_template(notifications_admin, notifications_admin_db, notify_db_session):
+    with notifications_admin.test_request_context():
+        with notifications_admin.test_client() as client:
+            user = create_test_user('request_password_reset')
+            token = generate_token(user.email_address)
+        response = client.get(url_for('.new_password', token=token))
+        assert response.status_code == 200
+        assert ' You can now create a new password for your account.' in response.get_data(as_text=True)
+
+
+def test_should_render_new_password_template_with_message_of_bad_token(notifications_admin, notifications_admin_db,
+                                                                       notify_db_session):
+    with notifications_admin.test_request_context():
+        with notifications_admin.test_client() as client:
+            create_test_user('request_password_reset')
+            token = generate_token('no_user@d.gov.uk')
+        response = client.get(url_for('.new_password', token=token))
+        assert response.status_code == 200
+        assert 'Message about email address does not exist. Some one needs to figure out the words here.' in \
+               response.get_data(as_text=True)
+
+
+def test_should_redirect_to_two_factor_when_password_reset_is_successful(notifications_admin,
+                                                                         notifications_admin_db,
+                                                                         notify_db_session,
+                                                                         mocker):
+    _set_up_mocker(mocker)
+    with notifications_admin.test_request_context():
+        with notifications_admin.test_client() as client:
+            user = create_test_user('request_password_reset')
+            token = generate_token(user.email_address)
+        response = client.post(url_for('.new_password', token=token), data={'new_password': 'a-new_password'})
+        assert response.status_code == 302
+        assert response.location == url_for('.two_factor', _external=True)
+        saved_user = users_dao.get_user_by_id(user.id)
+        assert check_hash('a-new_password', saved_user.password)
+        assert saved_user.state == 'active'
+
+
+def test_should_redirect_to_forgot_password_with_flash_message_when_token_is_expired(notifications_admin,
+                                                                                     notifications_admin_db,
+                                                                                     notify_db_session):
+    with notifications_admin.test_request_context():
+        with notifications_admin.test_client() as client:
+            notifications_admin.config['TOKEN_MAX_AGE_SECONDS'] = -1000
+            user = create_test_user('request_password_reset')
+            token = generate_token(user.email_address)
+        response = client.post(url_for('.new_password', token=token), data={'new_password': 'a-new_password'})
+        assert response.status_code == 302
+        assert response.location == url_for('.forgot_password', _external=True)
+        notifications_admin.config['TOKEN_MAX_AGE_SECONDS'] = 86400
+
+
+def test_should_redirect_to_forgot_password_when_user_is_active_should_be_request_password_reset(notifications_admin,
+                                                                                                 notifications_admin_db,
+                                                                                                 notify_db_session):
+    with notifications_admin.test_request_context():
+        with notifications_admin.test_client() as client:
+            user = create_test_user('active')
+            token = generate_token(user.email_address)
+        response = client.post(url_for('.new_password', token=token), data={'new_password': 'a-new_password'})
+        assert response.status_code == 302
+        assert response.location == url_for('.index', _external=True)
+
+
+def _set_up_mocker(mocker):
+    mocker.patch("app.admin_api_client.send_sms")
diff --git a/tests/app/main/views/test_register.py b/tests/app/main/views/test_register.py
index 666e9f86d..cdf021adc 100644
--- a/tests/app/main/views/test_register.py
+++ b/tests/app/main/views/test_register.py
@@ -31,7 +31,7 @@ def test_process_register_returns_400_when_mobile_number_is_invalid(notification
                                                             'password': 'validPassword!'})
 
     assert response.status_code == 200
-    assert 'Please enter a +44 mobile number' in response.get_data(as_text=True)
+    assert 'Enter a +44 mobile number' in response.get_data(as_text=True)
 
 
 def test_should_return_400_when_email_is_not_gov_uk(notifications_admin,
@@ -46,7 +46,7 @@ def test_should_return_400_when_email_is_not_gov_uk(notifications_admin,
                                                             'password': 'validPassword!'})
 
     assert response.status_code == 200
-    assert 'Please enter a gov.uk email address' in response.get_data(as_text=True)
+    assert 'Enter a gov.uk email address' in response.get_data(as_text=True)
 
 
 def test_should_add_verify_codes_on_session(notifications_admin, notifications_admin_db, mocker, notify_db_session):
diff --git a/tests/app/main/views/test_sign_out.py b/tests/app/main/views/test_sign_out.py
index 05fc8804d..31ccb055e 100644
--- a/tests/app/main/views/test_sign_out.py
+++ b/tests/app/main/views/test_sign_out.py
@@ -40,4 +40,4 @@ def test_sign_out_user(notifications_admin,
             response = client.get(url_for('main.sign_out'))
             assert response.status_code == 302
             assert response.location == url_for(
-                'main.sign_in', _external=True)
+                'main.index', _external=True)