diff --git a/debian/changelog b/debian/changelog
index 76746f71..c7368bc0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-hedera-web (1.407.40) stable; urgency=low
+hedera-web (1.407.41) stable; urgency=low
 
   * Initial Release.
 
diff --git a/forms/account/conf/conf.js b/forms/account/conf/conf.js
index 95fb03a5..68188877 100644
--- a/forms/account/conf/conf.js
+++ b/forms/account/conf/conf.js
@@ -1,77 +1,81 @@
 
-Hedera.Conf = new Class
-({
+Hedera.Conf = new Class({
 	Extends: Hedera.Form
 
-	,activate: function ()
-	{
-		this.$('user-model').setInfo ('c', 'myClient', 'hedera');
+	,activate: function() {
+		this.$('user-model').setInfo('c', 'myClient', 'hedera');
+
+		console.log(this.hash.get('verificationToken'));
+
+		if (this.hash.get('verificationToken'))
+			this.onPassChangeClick();
 	}
 	
-	,onPassChangeClick: function ()
-	{
+	,onPassChangeClick: function() {
 		this.$('old-password').value = '';
 		this.$('new-password').value = '';
 		this.$('repeat-password').value = '';
 
-		var recoverPass = this.$('user-form').get ('recoverPass');
-		this.$('old-password').style.display = recoverPass ? 'none' : 'block';
-		this.$('change-password').show ();
+		var verificationToken = this.hash.get('verificationToken');
+		this.$('old-password').style.display = verificationToken ? 'none' : 'block';
+		this.$('change-password').show();
 
-		if (recoverPass)
-			this.$('new-password').focus ();
+		if (verificationToken)
+			this.$('new-password').focus();
 		else
-			this.$('old-password').focus ();
+			this.$('old-password').focus();
 	}
 
-	,onPassModifyClick: function ()
-	{
+	,onPassModifyClick: function() {
 		try {
 			var oldPassword = this.$('old-password').value;
 			var newPassword = this.$('new-password').value;
 			var repeatedPassword = this.$('repeat-password').value;
 
 			if (newPassword == '' && repeatedPassword == '')
-				throw new Error (_('Passwords empty'));
+				throw new Error(_('Passwords empty'));
 			if (newPassword !== repeatedPassword)
-				throw new Error (_('Passwords doesn\'t match'));
+				throw new Error(_('Passwords doesn\'t match'));
 		
-			var params = {	
-				oldPassword: oldPassword,
-				newPassword: newPassword
-			};
-			this.conn.send ('core/change-password', params,
-				this._onPassChange.bind (this));
-		}
-		catch (e)
-		{
-			Htk.Toast.showError (e.message);
+			var verificationToken = this.hash.get('verificationToken');
+			var params = {newPassword: newPassword};
+
+			if (verificationToken) {
+				params.verificationToken = verificationToken;
+				this.conn.send('core/restore-password', params,
+					this._onPassChange.bind(this));
+			} else {
+				params.oldPassword = oldPassword;
+				this.conn.send('core/change-password', params,
+					this._onPassChange.bind(this));
+			}
+		} catch (e) {
+			Htk.Toast.showError(e.message);
 		}
 	}
 	
-	,_onPassChange: function (json, error)
-	{
-		if (json)
-		{
-			this.$('change-password').hide ();
-			Htk.Toast.showMessage (_('Password changed!'));
-			this.$('user-form').refresh ();
-		}
-		else
-		{
-			Htk.Toast.showError (error.message);
-			this.$('old-password').select ();
+	,_onPassChange: function(json, error) {
+		if (json) {
+			this.$('change-password').hide();
+			this.hash.unset('verificationToken');
+			Htk.Toast.showMessage(_('Password changed!'));
+			this.$('user-form').refresh();
+		} else {
+			Htk.Toast.showError(error.message);
+
+			if (this.hash.get('verificationToken'))
+				this.$('new-password').select();
+			else
+				this.$('old-password').select();
 		}
 	}
 	
-	,onPassInfoClick: function ()
-	{
-		this.$('password-info').show ();
+	,onPassInfoClick: function() {
+		this.$('password-info').show();
 	}
 	
-	,onAddressesClick: function ()
-	{
-		this.hash.set ({form: 'account/address-list'});
+	,onAddressesClick: function() {
+		this.hash.set({form: 'account/address-list'});
 	}
 });
 
diff --git a/forms/account/conf/ui.xml b/forms/account/conf/ui.xml
index 636ca665..28c315fb 100644
--- a/forms/account/conf/ui.xml
+++ b/forms/account/conf/ui.xml
@@ -11,8 +11,8 @@
 	<db-form id="user-form">
 		<db-model property="model" id="user-model" updatable="true">
 			<custom>
-				SELECT u.id, u.name, u.email, u.recoverPass,
-						u.nickname, u.lang, c.isToBeMailed, c.id clientFk
+				SELECT u.id, u.name, u.email, u.nickname,
+						u.lang, c.isToBeMailed, c.id clientFk
 					FROM account.myUser u
 						LEFT JOIN myClient c
 							ON u.id = c.id
diff --git a/js/vn/hash.js b/js/vn/hash.js
index f1311ace..c96ff5de 100644
--- a/js/vn/hash.js
+++ b/js/vn/hash.js
@@ -34,6 +34,15 @@ module.exports =
 	,get: function(key) {
 		return this._hashMap[key];
 	}
+
+	/**
+	 * Unsets a hash key.
+	 *
+	 * @param {string} key The variable name
+	 **/
+	,unset: function(key) {
+		this.add({[key]: undefined});
+	}
 	
 	/**
 	 * Sets the hash part of the URL, respecting the current hash variables.
diff --git a/package.json b/package.json
index 021a15a4..16db8ada 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "hedera-web",
-  "version": "1.407.40",
+  "version": "1.407.41",
   "description": "Verdnatura web page",
   "license": "GPL-3.0",
   "repository": {
diff --git a/rest/core/change-password.php b/rest/core/change-password.php
index a999e836..4897d4f5 100644
--- a/rest/core/change-password.php
+++ b/rest/core/change-password.php
@@ -6,11 +6,11 @@ include __DIR__.'/account.php';
  * Updates the user password.
  **/
 class ChangePassword extends Vn\Web\JsonRequest {
-	const PARAMS = ['newPassword'];
+	const PARAMS = ['oldPassword', 'newPassword'];
 
 	function run($db) {
-		$newPassword = $_REQUEST['newPassword'];
 		$oldPassword = $_REQUEST['oldPassword'];
+		$newPassword = $_REQUEST['newPassword'];
 
 		$db->query('CALL account.myUser_changePassword(#, #)',
 			[$oldPassword, $newPassword]);
diff --git a/rest/core/recover-password.php b/rest/core/recover-password.php
index 5eb34352..95a76fc8 100644
--- a/rest/core/recover-password.php
+++ b/rest/core/recover-password.php
@@ -6,61 +6,31 @@ class RecoverPassword extends Vn\Web\JsonRequest {
 	const PARAMS = ['recoverUser'];
 
 	function run($db) {
+		$recoverUser = $_REQUEST['recoverUser'];
+
 		$user = $db->getRow(
 			'SELECT email, active FROM account.user WHERE name = #',
-			[$_REQUEST['recoverUser']]
+			[$recoverUser]
 		);
 
 		if (!($user['active'] && $user['email']))
 			return TRUE;
 
+		$verificationToken = bin2hex(random_bytes(16));
+		$db->query(
+			'UPDATE account.user SET verificationToken = #
+				WHERE name = #',
+			[$verificationToken, $recoverUser]
+		);
+
 		$service = $this->service;
-		$token = $service->createToken($_REQUEST['recoverUser'], FALSE, TRUE);
-		$url = $service->getUrl() ."#!form=account/conf&token=$token";
+		$token = $service->createToken($recoverUser);
+		$url = $service->getUrl() ."#!form=account/conf&verificationToken=$verificationToken&token=$token";
 
 		$report = new Vn\Web\Report($db, 'recover-password', ['url' => $url]);
 		$report->sendMail($user['email']);
 
-		return \Vn\Lib\Locale::get();
 		return TRUE;
 	}
-
-	const LOWERS = 'abcdefghijklmnopqrstuvwxyz';
-	const UPPERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
-	const DIGITS = '1234567890';
-	const SYMBOLS = '!$%&()=.';
-
-	function genPassword($db) {
-		$restrictions = $db->getRow(
-			'SELECT length, nUpper, nDigits, nPunct FROM account.userPassword');
-		
-		$pass = [];
-		$newPass = '';
-		
-		$nAlpha = $restrictions['length'] -(
-			$restrictions['nUpper'] +
-			$restrictions['nDigits'] +
-			$restrictions['nPunct']);
-
-		$this->genRands($pass, self::LOWERS, $nAlpha);
-		$this->genRands($pass, self::UPPERS, $restrictions['nUpper']);
-		$this->genRands($pass, self::DIGITS, $restrictions['nDigits']);
-		$this->genRands($pass, self::SYMBOLS, $restrictions['nPunct']);
-		
-		for ($i = count($pass) - 1; $i >= 0; $i--) {
-			$rand = rand(0, $i);
-			$newPass .= $pass[$rand];
-			array_splice($pass, $rand, 1);
-		}
-
-		return $newPass;
-	}
-	
-	function genRands(&$pass, $chars, $max) {
-		$len = strlen($chars) - 1;
-	
-		for ($i = 0; $i < $max; $i++)
-			$pass[] = $chars[rand(0, $len)];
-	}
 }
 
diff --git a/rest/core/restore-password.php b/rest/core/restore-password.php
new file mode 100644
index 00000000..2875b922
--- /dev/null
+++ b/rest/core/restore-password.php
@@ -0,0 +1,21 @@
+<?php
+
+use Vn\Web;
+
+/**
+ * Restores the user password.
+ **/
+class RestorePassword extends Vn\Web\JsonRequest {
+	const PARAMS = ['verificationToken', 'newPassword'];
+
+	function run($db) {
+		$verificationToken = $_REQUEST['verificationToken'];
+		$newPassword = $_REQUEST['newPassword'];
+
+		$db->query('CALL account.myUser_restorePassword(#, #)',
+			[$verificationToken, $newPassword]);
+		Account::sync($db, $_SESSION['user'], $newPassword);
+		return TRUE;
+	}
+}
+
diff --git a/web/service.php b/web/service.php
index aa65df31..e16dfe45 100644
--- a/web/service.php
+++ b/web/service.php
@@ -180,13 +180,6 @@ abstract class Service {
 					throw new SessionExpiredException();
 
 				$user = $jwtPayload['sub'];
-					
-				if (!empty($jwtPayload['recover']))
-					$db->query(
-						'UPDATE account.user SET recoverPass = TRUE
-							WHERE name = #',
-						[$user]
-					);
 			}
 			else {
 				$user = $db->getValue('SELECT guestUser FROM config');
@@ -263,7 +256,7 @@ abstract class Service {
 	 * @param {boolean} $recover Wether to enable recovery mode on login
 	 * @return {string} The JWT generated token
 	 */
-	function createToken($user, $remember = FALSE, $recover = FALSE) {
+	function createToken($user, $remember = FALSE) {
 		if ($remember)
 			$tokenLife = WEEK;
 		else
@@ -274,9 +267,6 @@ abstract class Service {
 			'exp' => time() + $tokenLife
 		];
 		
-		if ($recover)
-			$payload['recover'] = 'TRUE';
-		
 		$key = $this->db->getValue('SELECT jwtKey FROM config');
 		return Jwt::encode($payload, $key);
 	}