Your site will typically implemented two password reset screens - one for logged out users
(after clicking on a password reset link in an email), and one for users already logged in. Ensure
this latter screen requires re-entering of the user's old password, in case they leave themselves
logged in on a shared computer.
