diff --git a/ghost/security/lib/tokens.js b/ghost/security/lib/tokens.js
index 9614d06fe0..a0d31de2bf 100644
--- a/ghost/security/lib/tokens.js
+++ b/ghost/security/lib/tokens.js
@@ -45,7 +45,7 @@ module.exports.resetToken = {
 
         hash.update(String(expires));
         hash.update(email.toLocaleLowerCase());
-        hash.update(password);
+        hash.update(String(password));
         hash.update(String(dbHash));
 
         text += [expires, email, hash.digest('base64')].join('|');
diff --git a/ghost/security/test/tokens.test.js b/ghost/security/test/tokens.test.js
index adfbf01287..515e41b38f 100644
--- a/ghost/security/test/tokens.test.js
+++ b/ghost/security/test/tokens.test.js
@@ -20,6 +20,22 @@ describe('Utils: tokens', function () {
         token.length.should.be.above(0);
     });
 
+    it('generate allow numeric password', function () {
+        const expires = Date.now() + 60 * 1000;
+        const dbHash = uuid.v4();
+        let token;
+
+        token = security.tokens.resetToken.generateHash({
+            email: 'test1@ghost.org',
+            expires: expires,
+            password: 123456,
+            dbHash: dbHash
+        });
+
+        should.exist(token);
+        token.length.should.be.above(0);
+    });
+
     it('compare: success', function () {
         const expires = Date.now() + 60 * 1000;
         const dbHash = uuid.v4();