Submitted by Anonymous (not verified) on
Section
1.2.5
Top Level
Identification and Authentication
Sub Level
1.2 Managing Authentication
General
The password change page should require the old password and two copies of the new password. There should only be one change password mechanism.
Django

The password_reset views in contrib.auth.views use a single-use token send to the user via e-mail, but does not require the old password.

Natural Webagent
This is handled automatically when using EID authentication.