diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/PasswordChangeRequestSpamMitigation.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/PasswordChangeRequestSpamMitigation.java
index d9eba855c3..31e8d1e1bc 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/PasswordChangeRequestSpamMitigation.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/PasswordChangeRequestSpamMitigation.java
@@ -12,21 +12,25 @@ public class PasswordChangeRequestSpamMitigation {
 
     private static final Map<String, Integer> requestFrequency = new HashMap<>();
 
-    private static void initializeHistoryRequestDataIfNotExists(String emailAddress) {
+    private static final long INTERVAL_INCREASE_MINUTES = 1;
+
+    private static boolean initializeHistoryRequestDataIfNotExists(String emailAddress) {
         if (requestHistory.containsKey(emailAddress)) {
-            return;
+            return false;
         }
 
         requestHistory.put(emailAddress, LocalDateTime.now());
         requestFrequency.put(emailAddress, 0);
+        return true;
     }
 
     public static PasswordChangeRequestSpamMitigationResponse isPasswordResetRequestable(UserAccount userAccount) {
-        initializeHistoryRequestDataIfNotExists(userAccount.getEmailAddress());
+        boolean justInitialised = initializeHistoryRequestDataIfNotExists(userAccount.getEmailAddress());
 
         Integer numberOfSuccessiveRequests = requestFrequency.get(userAccount.getEmailAddress());
         LocalDateTime momentOfFirstRequest = requestHistory.get(userAccount.getEmailAddress());
-        LocalDateTime nextRequestAvailableAt = momentOfFirstRequest.plusMinutes(numberOfSuccessiveRequests * 10);
+        LocalDateTime nextRequestAvailableAt =
+            momentOfFirstRequest.plusMinutes(numberOfSuccessiveRequests * INTERVAL_INCREASE_MINUTES);
 
         if (nextRequestAvailableAt.isAfter(LocalDateTime.now())) {
             String[] dateTimeTokens = nextRequestAvailableAt.toString().split("T");
@@ -35,6 +39,10 @@ public static PasswordChangeRequestSpamMitigationResponse isPasswordResetRequest
             return new PasswordChangeRequestSpamMitigationResponse(false, dateString, timeString);
         }
 
+        if (numberOfSuccessiveRequests > 0) {
+            requestHistory.put(userAccount.getEmailAddress(), LocalDateTime.now());
+        }
+
         return new PasswordChangeRequestSpamMitigationResponse(true);
     }