Why is it necessary to confirm the old password when we create a new password?
Suppose that someone stole my password, he/she can easily change it by confirming the old password. So, I am curious why we need that step and what is the purpose of using old password confirmation?
It is to help you keep the account with yourself. Some Scenarios Your cookie is stolen by someone via a middleware or by some other methods, then if the site didn't prompt you for an old password, they can change the Password and Recovery email and then the account no longer belongs to you. If someone has access to your system which you logged in, they can change the password and then recover the email and then the account no longer belongs to you.