The basic solution has already been given. In addition to that simple query, some things you should always remember when dealing with passwords and database queries:
- The password should be hashed in the database. This means that if someone gets hold of your database they don't have all your users' passwords – particularly important as many people re-use passwords for several services. This means that you should be hashing the password string before setting it in the UPDATE statement, and if you want to follow Abhinav's/Ravi's advice and check the old password too, you should hash the old password text box's contents before putting it in the WHERE clause, too.
- Use parameterised queries if you can. If you can't, at least make sure that you always escape user text which is to be entered into a query. Queries built up from text are how SQL injection vulnerabilities get into software, and it should be a reflex when you build a query to either use parameters or to escape everything you are putting into that string from textual user input.
So the pseudocode for your process should be something like
bool UpdatePassword(string username, string old, string new1, string new2){
if(new1 != new2) return false;
Query q = new Query("update users set password='@NewPassword' where username='@Username' and password='@OldPassword'");
q.SetParameter("NewPassword", SHA1(username + new1));
q.SetParameter("OldPassword", SHA1(username + old));
q.SetParameter("Username", SHA1(username));
return 1 == q.Execute().AffectedRows;
}
How exactly you set up a parameterised query may depend on the interface you're using to talk to the database, but hopefully it is similar enough to that pseudocode that you can adapt it. Replace SHA1 with your hash of choice and add salts etc to the hashing process if you like.