diff --git a/app/models/user.rb b/app/models/user.rb
index 0feb07c26..378d4a12d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -393,17 +393,22 @@ class User < ApplicationRecord
   end
 
   def reset_password!
+    # First, change password to something random, this revokes sessions and on-going access:
+    change_password!(SecureRandom.hex)
+
+    # Finally, send a reset password prompt to the user
+    send_reset_password_instructions
+  end
+
+  def change_password!(new_password)
     # First, change password to something random and deactivate all sessions
     transaction do
-      update(password: SecureRandom.hex)
+      update(password: new_password)
       session_activations.destroy_all
     end
 
     # Then, remove all authorized applications and connected push subscriptions
     revoke_access!
-
-    # Finally, send a reset password prompt to the user
-    send_reset_password_instructions
   end
 
   protected
diff --git a/lib/mastodon/cli/accounts.rb b/lib/mastodon/cli/accounts.rb
index 1b33f5605..25e966bd8 100644
--- a/lib/mastodon/cli/accounts.rb
+++ b/lib/mastodon/cli/accounts.rb
@@ -165,14 +165,17 @@ module Mastodon::CLI
         user.role_id = nil
       end
 
-      password = SecureRandom.hex if options[:reset_password]
-      user.password = password if options[:reset_password]
       user.email = options[:email] if options[:email]
       user.disabled = false if options[:enable]
       user.disabled = true if options[:disable]
       user.approved = true if options[:approve]
       user.disable_two_factor! if options[:disable_2fa]
 
+      # Password changes are a little different, as we also need to ensure
+      # sessions, subscriptions, and access tokens are revoked after changing:
+      password = SecureRandom.hex if options[:reset_password]
+      user.change_password!(password) if options[:reset_password]
+
       if user.save
         user.confirm if options[:confirm]
 
diff --git a/spec/lib/mastodon/cli/accounts_spec.rb b/spec/lib/mastodon/cli/accounts_spec.rb
index 7287b6a03..d9c6aadde 100644
--- a/spec/lib/mastodon/cli/accounts_spec.rb
+++ b/spec/lib/mastodon/cli/accounts_spec.rb
@@ -361,11 +361,20 @@ RSpec.describe Mastodon::CLI::Accounts do
       context 'with --reset-password option' do
         let(:options) { { reset_password: true } }
 
+        let(:user) { Fabricate(:user, password: original_password) }
+        let(:original_password) { 'foobar12345' }
+        let(:new_password) { 'new_password12345' }
+
         it 'returns a new password for the user' do
-          allow(SecureRandom).to receive(:hex).and_return('new_password')
+          allow(SecureRandom).to receive(:hex).and_return(new_password)
+          allow(Account).to receive(:find_local).and_return(user.account)
+          allow(user).to receive(:change_password!).and_call_original
 
           expect { subject }
-            .to output_results('new_password')
+            .to output_results(new_password)
+
+          expect(user).to have_received(:change_password!).with(new_password)
+          expect(user.reload).to_not be_external_or_valid_password(original_password)
         end
       end