It's short, and can be redundant, but it's a safety feature nonetheless.
I have "require gold password to login" enabled. I forgot my password, and I deleted my cookies, logging me out of d2jsp. When I recovered it, it did not ask me for my gold password to recover, and yet when I reset the password, it immediately logged me back in.
It's redundant, but I feel it's still a (possible) security loophole.
The Suggestion:
- Require it so that even when you do an e-mail recovery, gold password is required to get on if you have that feature enabled.