By your argument users should not be prompted for their current password to change their password as that would provide them with a false sense of security. Or I guess now that they can just go and look up your password and then login and change it on the site they would not even need to do that. Security fail. You've set the bar way way way to low for easy compromise in seconds with no technical knowledge of computers needed.