Confirmation of old password isn't such a big deal. If you are concerned that a password was shared with another site and not changed, the attacker has an easier test: use the password at the other site.
On the other hand, major utility boost for users. "I KNOW this is my password!" Actually, it was your password before you changed it. "Oh right."
I know I do this quite frequently. Enter password. (Wrong.) Guess I have to change it. Reset. (New password must be different than existing password.) My "new" password is the one I changed it to last time, before forgetting.
This happens to me with arcane password requirements that only tell you the requirements after you reset it.
try various passwords -> "Invalid password" -> send reset password email -> click email -> "passwords require a special character AND a number AND an unprintable character" -> me: ooooh, its that one -> enter it -> "password already used" -> enter another password I'll definitely forget next time.
There are websites I need so occasionally that I'm sure that I have never logged in without resetting my password.
On the other hand, major utility boost for users. "I KNOW this is my password!" Actually, it was your password before you changed it. "Oh right."
I know I do this quite frequently. Enter password. (Wrong.) Guess I have to change it. Reset. (New password must be different than existing password.) My "new" password is the one I changed it to last time, before forgetting.