Andrew, > This removes one of the validation parts from OemChangePasswordUser2. > Can someone else verify that this doesn't provide a route for an > attacker? as we discussed on IRC, this looks fine to me. The cross-hash checks seem to be redundent. I suspect we should check them if supplied though. Cheers, Tridge