Your site will typically implemented two password reset screens -
one for logged out users (after clicking on a password reset link in an email),
and one for users already logged in. Ensure this latter screen requires
re-entering of the user's old password, in case they leave themselves
logged in on a shared computer.
