I logged into my account at Wachovia with plans to change my password.  It is a good idea, I believe, to periodically change your passwords, especially passwords related to financial accounts.  When I went to the change password page, Wachovia didn't ask me my original password, but instead only asked for a new password, and to confirm my new password.

This is a bad practice to not ask for the original password because this allows for someone to deny me access to my account without even needing my password.  If they were able to hijack my session, for example, they could change my password and now have complete ownership of my account.

So my tip to you is, make sure you ask for the original password before allowing a user to change a password.

Read the complete post at http://renaissauce.com/thoughts/security-tip-require-original-password-to-change-password/