Should admin users confirm their password before changing a user password?

This is an anti-pattern of least privilege principle. In common case, a "reset password" button should be enough, which will lead a target user to password reset form.

But if you need exactly "set new password" button, then you shold consider two relevant attack vectors - CSRF and XSS. If you'll mitigate them well - that should be pretty enough without additional authentication.


The decision is likely to come down to the admin user profile. For dedicated admin teams there may be other supplemental controls such as restrictions on the devices that can be used, device hardening and access controlled ops rooms to reduce the risk of attacks. These supplemental controls may remove the need to require re-authentication prior to allowing reset of someone else's password.

If admin responsibilities have been devolved partially or fully to trusted users amongst the user community, for example in a branch office, then there is the possibility of normal users or even members of the public having access to the same devices as the admin users.

To try and prevent misuse of privilege in this scenario it might be appropriate to require secondary authentication to ensure that it is still the same (authorised) person requesting the password reset (i.e. to make sure they have not walked away and left a machine logged in by mistake).