So, I just changed my password, and I was surprised it didn't send me an email to confirm my password change. I feel like this is a security issue since if someone hacked into your account, they could take full control of it by changing the password without me knowing about it. Also, there is no way to tell if someone is logged into your account since you don't get logged out when you change the password, but you do when changing the email. This makes no sense.
My request is, confirm password changes via email, log out when you change the password, and confirm email change by email.
edit: I didn't check if I was logged out in another browser, and yeah, I was logged out in another browser, so forget about the log out part.
That all sounds good except I don't understand confirm email change by email. Is that to make sure you don't mistype your new address? Or do you mean confirm to the old address? I think the reason people change their email address is that they no longer have access to the old one.
I was thinking of something like what scratch (and most other sites) does when you change the email. Confirm with the new email.
as I'm writing this, I realize that if someone had your password, they could get into your account, change the email, then change the password, and they would be able to take control of your account, so maybe this isn't a really go idea. Instead, I think it should just email you when you change your email just to see if it works. And with the password, maybe email to say something like, "your password was changed".