Go to 'My Profile'. Set secret question and answer to non-empty strings and save. Then change password and save. User's secret answer is deleted (you can see this in the database).
I'm going to assume this is a bug, rather than a security feature because
- There's no warning to the user
- It inadvertently re-instates the secret question because its on the same form
I think the problem is HibernateUserDAO.updateUserPassword(..) which saves a new LoginCredentials object for the user with nulls for secret question and answer.