Need to address three issues:

• Password changes - Current implementation doesn't require the old password
• Password resets - There is no user based "I forgot my password"
• Password resets by an admin

We also may want an account lock out / throttle. After ten bad passwords, have a thirty second delay between the latest request. Clear this field when a user successfully logs in.