Actually currently (2.4.3) you can extend ChangePasswordForm and then use Object::useCustomClass as joel suggests, but it will not be picked up.
The above method works fine for MemberLoginForm as when that is called in MemberAuthenticator it uses Object::create instead of new MemberLoginForm.
The work around is to fix Security line 589 which in my opinion should use Object::create not new ChangePasswordForm.
However since its A VERY BAD IDEA TO EDIT THE CORE, simple create a new class called CustomSecurity which extends Security and then add a rule in mysite/config.php
Director::addRules(11, array(
'Security//$Action/$ID/$OtherID' => 'CustomSecurity',
));
The rule above overrides the rule in Sapphire/_config because the priority is 11 which outranks 10.
http://open.silverstripe.org/ticket/6334