diff --git a/canaille/account.py b/canaille/account.py
index cb129d53..ab08be62 100644
--- a/canaille/account.py
+++ b/canaille/account.py
@@ -358,7 +358,7 @@ def reset(uid, hash):
     user = User.get(uid)
 
     if not user or hash != profile_hash(
-        user.uid[0], user.userPassword[0] if user.has_password() else ""
+        user.uid[0], user.mail[0], user.userPassword[0] if user.has_password() else ""
     ):
         flash(
             _("The password reset link that brought you here was invalid."),
diff --git a/canaille/admin/mail.py b/canaille/admin/mail.py
index ecaddbdb..aad78c29 100644
--- a/canaille/admin/mail.py
+++ b/canaille/admin/mail.py
@@ -15,7 +15,7 @@ def reset_html(user):
     reset_url = url_for(
         "account.reset",
         uid=user.uid[0],
-        hash=profile_hash(user.uid[0], user.userPassword[0]),
+        hash=profile_hash(user.uid[0], user.mail[0], user.userPassword[0]),
         _external=True,
     )
 
@@ -38,7 +38,7 @@ def reset_txt(user):
     reset_url = url_for(
         "account.reset",
         uid=user.uid[0],
-        hash=profile_hash(user.uid[0], user.userPassword[0]),
+        hash=profile_hash(user.uid[0], user.mail[0], user.userPassword[0]),
         _external=True,
     )
 
diff --git a/canaille/mails.py b/canaille/mails.py
index 94ffcebb..6470e4dd 100644
--- a/canaille/mails.py
+++ b/canaille/mails.py
@@ -5,11 +5,12 @@ from flask_themer import render_template
 from .apputils import logo, send_email
 
 
-def profile_hash(user, password):
+def profile_hash(user, email, password=None):
     return hashlib.sha256(
         current_app.config["SECRET_KEY"].encode("utf-8")
         + user.encode("utf-8")
-        + password.encode("utf-8")
+        + email.encode("utf-8")
+        + (password.encode("utf-8") if password else b"")
     ).hexdigest()
 
 
@@ -19,7 +20,9 @@ def send_password_reset_mail(user):
         "account.reset",
         uid=user.uid[0],
         hash=profile_hash(
-            user.uid[0], user.userPassword[0] if user.has_password() else ""
+            user.uid[0],
+            user.mail[0],
+            user.userPassword[0] if user.has_password() else "",
         ),
         _external=True,
     )
@@ -57,7 +60,9 @@ def send_password_initialization_mail(user):
         "account.reset",
         uid=user.uid[0],
         hash=profile_hash(
-            user.uid[0], user.userPassword[0] if user.has_password() else ""
+            user.uid[0],
+            user.mail[0],
+            user.userPassword[0] if user.has_password() else "",
         ),
         _external=True,
     )
diff --git a/tests/test_password_reset.py b/tests/test_password_reset.py
index 5727a22c..c4fde03e 100644
--- a/tests/test_password_reset.py
+++ b/tests/test_password_reset.py
@@ -5,7 +5,7 @@ def test_password_reset(testclient, slapd_connection, user):
     user.attr_type_by_name(conn=slapd_connection)
     user.reload(conn=slapd_connection)
     with testclient.app.app_context():
-        hash = profile_hash("user", user.userPassword[0])
+        hash = profile_hash("user", user.mail[0], user.userPassword[0])
 
     res = testclient.get("/reset/user/" + hash, status=200)
 
@@ -40,7 +40,7 @@ def test_password_reset_bad_password(testclient, slapd_connection, user):
     user.attr_type_by_name(conn=slapd_connection)
     user.reload(conn=slapd_connection)
     with testclient.app.app_context():
-        hash = profile_hash("user", user.userPassword[0])
+        hash = profile_hash("user", user.mail[0], user.userPassword[0])
 
     res = testclient.get("/reset/user/" + hash, status=200)