What is the purpose of confirming old password to create a new password?

If you are logged in and I sit down at your computer, I can lock you out of your account and transfer ownership to myself.


Two main reasons:

  1. If your session is compromised (e.g. you leave the computer and someone else jumps on, or there is a remote session compromise vulnerability), it prevents another person from changing the password, locking you out of your own account.
  2. If you are enforcing a password change, you can then check that the old and new passwords don't match, without needing to store the old password in a recoverable form - you can check it, then check that the new one isn't the same, even with fully salted password hashes. While you can check exact matches with just the hash, it doesn't allow for checks such as "ensure that the new password isn't the old password with the last digit incremented by one", which are sometimes required by more sensitive applications

To augment the other answers, I'll add to confirm that the keyboard is working as the user intends.

Caps lock can invert the case, and Num lock can change whether typing e.g. a "4" on the keypad will instead move the cursor left. Some interfaces show a warning, but many don't.

Most OSs have software keyboard layouts. Being able to type your old password correctly is good evidence that you're intent on using the current layout.

I've also had individual keys stop working, which causes frustration as you troubleshoot why you can't login from any other keyboard.