Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Standard security best practices dictate that we should require the user to provide their current password in the same form submission in which they specify a new password. This prevents "sneaker-net password change attacks."
If the user has forgotten their password and uses the one-time password link, we can skip requiring their old password because (a) they don't know it any more and (b) they just verified access to their email. HOWEVER, this implies that we have to require the current password before allowing a user to change their email address or else the sneaker-net attack is still possible.
Comments
Comment #1
PanchoDuplicate of #86299: Add "current password" field to "change password form"