If a user inputs some info into a form and there are multiple problems with it, which error should be reported to the user? Or should all of them be reported?
Ideally, I suppose I should be reporting the errors with JS as soon as the problematic data was entered. That sounds like the least painful for the user, and not atypical. I can easily imagine being frustrated by a system that required me to re-enter a new password, usually twice, because I'd mis-typed my old one. And I might then be told that my new password is invalid for some reason.
But you probably shouldn't check the old password that way. Of course, you shouldn't leave your computer with the password typed in anyway, so maybe that would be fine.
This is where it's best not to try to make things entirely foolproof. I'll drive myself crazy.