Fixed #56: invalidate tokens on password change, also added change password form