Description:

When a user is forced to change their password, they can enter their current password, therefor not changing it at all. Furthermore on the user account settings page change password has the same behaviour.

Steps to reproduce:

1. Go to account page, on the change password screen.
2. Change password, enter your current password.

Or

1. From the admin panel, force a user to change their password.
2. Login as that user and enter the current password on the change password screen.

Expected behavior:

The system should check to ensure the current password has not been entered and confirm it does not match the current password.

Actual behavior:

It allows me to enter the current password, so effectively not changing the password, even if an admin has clicked the force password reset button.

Server Setup Information:

• Version of Rocket.Chat Server: 1.3.2
• Operating System: Ubuntu 18.04.3 LTS
• Deployment Method: snap
• Number of Running Instances: 1
• NodeJS Version: 8.11.4
• MongoDB Version: 3.4.20

Additional context

As a security caution, an admin may want to force the user to change their password if their old password has been compromised. This feature would allow them to set the current password as the new one, potentially allowing that user account to be compromised again.

Another feature which may also be handy would be to have a password history stored in the database, so they can't chose their last X amount of passwords they had, if enabled in the password policy. This should be a customisation option.