In https://security.drupal.org/node/161566, which was released in https://www.drupal.org/SA-CORE-2016-005, a cache context was added to the "name" query parameter on the password reset form. @catch observed:
This is going to result in a lot of cache entries. We should probably placeholder the title or set the form to max_age=0 instead.
See: