Just got this email from a user today:
One suggestion, to avoid typos when entering the new pwd, perhaps you should use either a duplicate field for them to enter their new pwd, or force them to log in after they enter their new pwd .
Most systems ask for password confirmation when signing up. What were the reasons why Discourse chose not to? Can this be made optional?