Index: src/wp-includes/user.php
===================================================================
--- src/wp-includes/user.php	(revision 32625)
+++ src/wp-includes/user.php	(working copy)
@@ -2267,7 +2267,14 @@
 		$wp_hasher = new PasswordHash( 8, true );
 	}
 
-	if ( $wp_hasher->CheckPassword( $key, $row->user_activation_key ) )
+	list( $pass_key, $pass_exp ) = explode( ':', $row->user_activation_key );
+
+	$expire_time = apply_filters( 'password_reset_expiration', '24 hours' );	
+
+	if( time() > strtotime( $expire_time, $pass_exp ) )
+		return new WP_Error( 'expired_key', __( 'Your password reset token has expired.' ) );
+
+	if ( $wp_hasher->CheckPassword( $key, $pass_key ) )
 		return get_userdata( $row->ID );
 
 	if ( $key === $row->user_activation_key ) {
Index: src/wp-login.php
===================================================================
--- src/wp-login.php	(revision 32625)
+++ src/wp-login.php	(working copy)
@@ -357,7 +357,7 @@
 		require_once ABSPATH . WPINC . '/class-phpass.php';
 		$wp_hasher = new PasswordHash( 8, true );
 	}
-	$hashed = $wp_hasher->HashPassword( $key );
+	$hashed = $wp_hasher->HashPassword( $key ) . ':' . time();
 	$wpdb->update( $wpdb->users, array( 'user_activation_key' => $hashed ), array( 'user_login' => $user_login ) );
 
 	$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
@@ -525,7 +525,7 @@
 		if ( 'invalidkey' == $_GET['error'] )
 			$errors->add( 'invalidkey', __( 'Sorry, that key does not appear to be valid.' ) );
 		elseif ( 'expiredkey' == $_GET['error'] )
-			$errors->add( 'expiredkey', __( 'Sorry, that key has expired. Please try again.' ) );
+			$errors->add( 'expiredkey', __( 'Sorry, your password reset link has expired. Please request a new link below.' ) );
 	}
 
 	$lostpassword_redirect = ! empty( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';