diff --git a/core/modules/user/config/user.settings.yml b/core/modules/user/config/user.settings.yml
index efc0e4bf4da95f512341e71ba1b12d4a4d48123d..b4c8a58f35dd97bf3247190a079e8357bcbeaf61 100644
--- a/core/modules/user/config/user.settings.yml
+++ b/core/modules/user/config/user.settings.yml
@@ -13,3 +13,4 @@ notify:
 register: visitors
 signatures: '0'
 cancel_method: user_cancel_block
+password_reset_timeout: '86400'
diff --git a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
index 96ac5dedbc725993f15fc4fd78760dcfb47d9e6e..bb70f7873ec54eb3745f89bf33543cbd5e6bf66d 100644
--- a/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/lib/Drupal/user/Tests/UserPasswordResetTest.php
@@ -41,10 +41,8 @@ function testUserPasswordReset() {
    * Attempts login using an expired password reset link.
    */
   function testUserPasswordResetExpired() {
-    // Set password reset timeout variable to 43200 seconds = 12 hours.
-    $timeout = 43200;
-    variable_set('user_password_reset_timeout', $timeout);
-
+    // Set password reset timeout to 43200 seconds = 12 hours.
+    config('user.settings')->set('password_reset_timeout', 43200)->save();
     // Create a user.
     $account = $this->drupalCreateUser();
     $this->drupalLogin($account);
@@ -54,7 +52,8 @@ function testUserPasswordResetExpired() {
 
     // To attempt an expired password reset, create a password reset link as if
     // its request time was 60 seconds older than the allowed limit of timeout.
-    $bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60;
+    $timeout = config('user.settings')->get('password_reset_timeout');
+    $bogus_timestamp = REQUEST_TIME - $timeout - 60;
     $this->drupalGet("user/reset/$account->uid/$bogus_timestamp/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login));
     $this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
   }
diff --git a/core/modules/user/user.install b/core/modules/user/user.install
index d5c3e4a56e3c070276c9a81efff42ed834e2eda2..520ad8e46607a8f9acd9c5e280992ded428e3ebe 100644
--- a/core/modules/user/user.install
+++ b/core/modules/user/user.install
@@ -496,6 +496,7 @@ function user_update_8004() {
     'user_mail_status_blocked_notify' => 'notify.status_blocked',
     'user_mail_status_cancelled_notify' => 'notify.status_cancelled',
     'user_email_verification' => 'verify_mail',
+    'user_password_reset_timeout' => 'password_reset_timeout',
   ));
 
   // Convert the user.settings:register numeric value to text value.
diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index 1fd8aa548da7c487d3dc038e4cc219124ccbcb59..20af863271320e8c8cf1acf1be7d7451540cc05b 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -119,9 +119,8 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
     drupal_goto();
   }
   else {
-    // Time out, in seconds, until login URL expires. Defaults to 24 hours =
-    // 86400 seconds.
-    $timeout = variable_get('user_password_reset_timeout', 86400);
+    // Time out, in seconds, until login URL expires.
+    $timeout = config('user.settings')->get('password_reset_timeout');
     $current = REQUEST_TIME;
     $account = user_load($uid);
     // Verify that the user exists and is active.