diff --git a/src/backend/database/routes/users.ts b/src/backend/database/routes/users.ts
index 9b4b30f4..7ad84061 100644
--- a/src/backend/database/routes/users.ts
+++ b/src/backend/database/routes/users.ts
@@ -1339,6 +1339,7 @@ router.post("/complete-reset", async (req, res) => {
             },
           );
           await authManager.registerUser(userId, newPassword);
+          authManager.logoutUser(userId);
         } else {
           authLogger.success(
             `Password reset completed for user: ${username}. Data preserved using existing session.`,
diff --git a/src/backend/utils/user-crypto.ts b/src/backend/utils/user-crypto.ts
index ea55b8fe..0d4393b2 100644
--- a/src/backend/utils/user-crypto.ts
+++ b/src/backend/utils/user-crypto.ts
@@ -286,8 +286,7 @@ class UserCrypto {
       newKEK.fill(0);
 
       // Create a copy of DEK for the session before zeroing it out
-      const dekCopy = Buffer.allocUnsafe(DEK.length);
-      DEK.copy(dekCopy);
+      const dekCopy = Buffer.from(DEK);
 
       // Keep user session active with the same DEK
       const now = Date.now();
@@ -330,11 +329,6 @@ class UserCrypto {
         return false;
       }
 
-      const kekSalt = await this.getKEKSalt(userId);
-      if (!kekSalt) {
-        return false;
-      }
-
       // Generate new KEK from new password
       const newKekSalt = await this.generateKEKSalt();
       const newKEK = this.deriveKEK(newPassword, newKekSalt);