We just received a security reports on our Moodle installation and one recommendation would be to secure email change asking for the user password (sorry I don't have a english proofreader with me at the moment).
Here's the risk: a malicious user intercepts a teacher (or admin!) session key with some fancy XSS. To get full control of the account, the malicious user can change the email address in the account and then get a new password with the "forgot password" feature.
If password was requested for email account, it would be much harder for the malicious user to take full control of the account.
Is there a plugin or some tweak that were done to acheive this behaviour?