Why do we ask for a user's existing password when changing their password?

If a user leaves their computer unattended for a few minutes (while logged in), we don't want someone else to be able to walk by and quickly change their password. For one thing, this would allow the attacker to change the associated email address, too, and now the legitimate owner is never getting his/her account back.

For another thing, just think of the potential for office pranks!

Changing your password is a sensitive enough operation that it makes sense to require the user to re-authenticate. And, since changing your password is a relatively rare operation, this doesn't introduce much inconvenience for users: it only changes the user experience in the rare cases where you change your password.


Apart from the security motivation expressed by other answers (because the password is very sensitive and we do not want someone gaining transient access, e.g. a lunch-time raid, to transform it into permanent access), there can be practical issues. For instance, in systems where there are password-encrypted user secrets, the old password is needed in order to decrypt such data and reencrypt it with the new password. This is exactly what happens on Windows operating systems (it is one of the big differences with the Unix security model), and it may apply to some Web-based systems as well (depending on what the Web-based system does).


This is called the TOCTOU principle (Time of Check / Time of Use), which means that the authentication assurance of the user's identity (i.e. the user is still the same user that authenticated to the system) is too low to allow him to perform some actions, such as changing password or redefining the identity.

To make sure that the authentication assurance level is as high as possible when critical actions are done, the "delta TOCTOU", time between check of credentials and use of their privilege, must be as short as possible to prevent the issues addressed by D.W.

For me, this is an obvious example of an adjustable compromise between security and usability.