Require Entering of LJ Password to Change Email Address
Short, concise description of the idea
Since the ability to change the email address is equivalent to the ability to retrieve the password, it should be protected with the same level of security.
Full description of the idea
When going to change the email address, the user should be asked to enter their password, even if logged in. If the password is incorrect, then do not allow the email address change.
An ordered list of benefits
Greater security for users who leave themselves logged in. Not that we in any way wish to encourage such a practice, but we might as well make it slightly less harmful. The idea of a stranger able to read all your protected entries and post to your friends as you should be discouraging enough.
An ordered list of problems/issues involved
Minor inconvenience for legitimate email address changes. But users usually do not need to change addresses often.
Users who leave themselves logged in all the time and thus forget their passwords and then lose access to their email address have effectively lost their accounts. But I think this is far less common than users leaving themselves logged in somewhere.
An organized list, or a few short paragraphs detailing suggestions for implementation
Either add changing the email address to the changing the password page, and make it to change your address or password... or put it on its own page.
Then only let people change their email address if they know the password for the account.