If you use the password reset link in Drupal 8, you can reset your password without typing in the previous one (by design).
However, if after changing your password, you reload the edit form again (with the password reset token still in the URL) you can change it again, still without ever typing in the previous one.
You're not supposed to be able to do this. In Drupal 7, you can see in user_profile_form_submit() that there is code to unset the variable in the user's session once the password is changed the first time. This code is gone in Drupal 8.
A little work with git bisect suggests that what probably happened is that first the code got accidentally broken, and then someone else (noticing that it no longer did anything) removed it...