diff --git a/app/controllers/users/verify_password_controller.rb b/app/controllers/users/verify_password_controller.rb
index 4f47a6ac0da..f292c08e1d2 100644
--- a/app/controllers/users/verify_password_controller.rb
+++ b/app/controllers/users/verify_password_controller.rb
@@ -7,19 +7,17 @@ class VerifyPasswordController < ApplicationController
     before_action :confirm_personal_key
 
     def new
-      @verify_password_form = VerifyPasswordForm.new(
-        user: current_user,
-        password: '',
-        decrypted_pii: decrypted_pii,
-      )
+      @decrypted_pii = decrypted_pii
     end
 
     def update
+      @decrypted_pii = decrypted_pii
       result = verify_password_form.submit
 
       if result.success?
         handle_success(result)
       else
+        flash[:error] = t('errors.messages.password_incorrect')
         render :new
       end
     end
diff --git a/app/views/users/verify_password/new.html.erb b/app/views/users/verify_password/new.html.erb
index d3aa5c21fe1..1d7809736b9 100644
--- a/app/views/users/verify_password/new.html.erb
+++ b/app/views/users/verify_password/new.html.erb
@@ -17,7 +17,6 @@
 
 <div class='mt4'>
   <%=  accordion('review-verified-info', t('idv.messages.review.intro')) do %>
-    <% decrypted_pii = @verify_password_form.decrypted_pii %>
-    <%= render 'shared/pii_review', pii: decrypted_pii, phone: decrypted_pii[:phone] %>
+    <%= render 'shared/pii_review', pii: @decrypted_pii, phone: @decrypted_pii[:phone] %>
   <% end %>
 </div>
diff --git a/spec/controllers/users/verify_password_controller_spec.rb b/spec/controllers/users/verify_password_controller_spec.rb
index 4e3f123fce0..8f70c319353 100644
--- a/spec/controllers/users/verify_password_controller_spec.rb
+++ b/spec/controllers/users/verify_password_controller_spec.rb
@@ -58,6 +58,7 @@
 
       describe '#update' do
         let(:form) { instance_double(VerifyPasswordForm) }
+        let(:pii) { { dob: Time.zone.today } }
 
         before do
           expect(controller).to receive(:verify_password_form).and_return(form)
@@ -79,8 +80,11 @@
         end
 
         context 'without valid password' do
+          render_views
+
           it 'renders the new template' do
             allow(form).to receive(:submit).and_return(response_bad)
+            allow(controller).to receive(:decrypted_pii).and_return(pii)
 
             put :update, params: { user: { password: user.password } }