The current code for linking FAS accounts to rhbz accounts asks for a username/password to verify that the current user is indeed the owner of said account.
Asking users for passwords isn't exactly ideal behavior and it would be better to send a verification link to the email address for verification purposes. Not 100% foolproof but definitely good enough for our purposes.
Metadata Update from @adamwill: - Issue tagged with: enhancement
Login to comment on this ticket.