By password change I mean when a logged on user decides to update their password i.e. they know the current password. The following need consider

1. Remember to add the functionality in the first place as it is good practise
2. Make sure the pages and responses are over HTTPS
3. The user should have to enter their original password and it should be checked to see if it is valid
4. Do not replace the step above with a secret question answer as these tend to be weak
5. Do not include the username in a field or hidden field when entering data and then rely on it when processing the change. As it may be possible for the value to be tampered with using a dom explorer (F12) instead relied on the logged on user name server side i.e. User.Identity.Name
6. Make sure the user must be logged on to access the functionality
7. Make sure autocomplete is discouraged – prevent browsers autocompleting on shared computers
8. Make sure caching is discouraged- prevent browsers using cached versions on shared computers
9. Remember to apply your password policy
10. On entering the original password incorrectly X times the account should lock (for a period of time)
11. If you have sessionstamping turned on remember to make sure to force a relogon Security Stamping
12. Email the user to tell them that a) the password is changed or b) the password is locked as someone tried to change it
13. Do not include the new password in any email as it will probably end up on a phone which can be lost