Confirm password on update page
I've got a security assist generated update page for changing a user's registered details.
The site is not yet live but during testing of this page it allows a user's registration details to be changed even by adding text to the confirm password field which is not the correct password.
It wont allow the change if the confirm field is left blank but will allow the change if any random text is entered.
This is a standard SA generated update page so I would have expected a check on the stored password agaisnt the confirmed entry. Is this how it should be?