The change password form within a larger Supplements website that does not have the added security feature that allows the user to add their existing Password. At the moment the user can simple add the new password without knowing the existing password.
If a user leaves their computer unattended for a few minutes (while logged in), we don’t want someone else to be able to walk by and quickly change their password. For one thing, this would allow the attacker to change the associated email address, too, and now the legitimate owner is never getting his/her account back.
Something you know (e.g., a password or pass phrase), and/or something that identifies you (e.g., a user name, a fingerprint, voiceprint, retina print). Something you know and something that identifies you are presented for authentication.
Add “current password” field to “change password form”
Reply Regarding This Issue
The reply was within half an hour and was very friendly. Even rewarding me with discount points to the site which I was very happy with.