(Not a very good summary, but I couldn't come up with anything better) If you do a password change, you get a form asking you to enter your password twice. If you leave the matchpassword blank, then the request goes through anyway. This is because we're mixing |defined| (in token.cgi) and |if ($foo)| (in ValidatePassword). Since we don't allow blank passwords, we should probbaly just take any truth value for |chgpw|.
*** This bug has been marked as a duplicate of 123077 ***