It's just an extra measure, not protecting the server from a malicious user, but an honest user's potential mismanagement of credentials.