I was going to say that there should be three fields: old password and new password twice. That way stealing a cookie wouldn't allow you to change the victim's password (without an additional cracking step).

You could tackle that the other way around. You do have everybody's email address from the time when they requested a user account, don't you? Granted, it's possible that address is no longer valid, but that aside...

What I'm thinking of, is to send a mail to this address whenever the password is changed, with the new password. That way, the original author can always steal his own account back.