No no I must have miscommunicated. I do not want to make the user provide a password when they order. If they reorder, I don't want them to have to login. I took the password away totally.
They provide an email and place the order. If they have ordered in the past, then just their email is sufficient.
If placing a second order, the system gives the error msg: (That email address is already registered.) If we don't require a password the user doesn't know their password to login which will cause them to request their password. The fear is that by this time we will have lost the sale.