diff --git a/src/Http/Controllers/NewPasswordController.php b/src/Http/Controllers/NewPasswordController.php
index fd82f56c..ccb62d4c 100644
--- a/src/Http/Controllers/NewPasswordController.php
+++ b/src/Http/Controllers/NewPasswordController.php
@@ -57,6 +57,8 @@ public function store(Request $request): Responsable
         $request->validate([
             'token' => 'required',
             Fortify::email() => 'required|email',
+            'password' => 'required|confirmed',
+            'password_confirmation' => 'required',
         ]);
 
         // Here we will attempt to reset the user's password. If it is successful we
diff --git a/tests/NewPasswordControllerTest.php b/tests/NewPasswordControllerTest.php
index 8e092cd1..5ac31482 100644
--- a/tests/NewPasswordControllerTest.php
+++ b/tests/NewPasswordControllerTest.php
@@ -61,9 +61,6 @@ public function test_password_reset_can_fail()
     {
         Password::shouldReceive('broker')->andReturn($broker = Mockery::mock(PasswordBroker::class));
 
-        $guard = $this->mock(StatefulGuard::class);
-        $user = Mockery::mock(Authenticatable::class);
-
         $broker->shouldReceive('reset')->andReturnUsing(function ($input, $callback) {
             return Password::INVALID_TOKEN;
         });
@@ -130,4 +127,15 @@ public function test_password_can_be_reset_with_customized_email_address_field()
         $response->assertStatus(302);
         $response->assertRedirect('/login');
     }
+
+    public function test_password_and_password_confirmation_are_required()
+    {
+        $response = $this->post('/reset-password', [
+            'token' => 'token',
+            'email' => 'taylor@laravel.com',
+        ]);
+
+        $response->assertStatus(302);
+        $response->assertSessionHasErrors(['password', 'password_confirmation']);
+    }
 }