Yes. You can find the user logged current with :
auth.user.id , and search them using the dal, i.e , db.auth_user[
auth.user.id] and return the data of user, thereby verifying the field "password" ( of table ) with "form.new_password" ( name of form field that you create it.).
All this overwriting the view user/change_password ( if you don't have changed value of url retrieve password ) , and doing the operations needed.
Tip: Before submit of form user, try use .validate() at form to handled this things.
Basicaly it's this.I think :D