When a user changes their Google account password and sign in to their Chromebook they have to enter their old password to be able to sign in. 

I know there are security reasons we do this but it's a very unfortunate flow for users who actually reset their password because they forgot it or who had their account hacked. In these cases the user is effectively locked out of their Chromebook forever (unless they reset it). 

Filing this as a feature request to improve the flow.

One possible path: GAIA lets you sign in with 2-factor auth (PIN sent to phone) if you are able to give them one of the previous passwords (last one you remember). Could we do the same or something similar?