As a first step, let's expose the ability to update a user's password from the CLI. The idea is that if someone has access to the server they ought to be able to update someone's password in case they forgot it or it was compromised.
Exposing this to the JSON API and web application is explicitly out-of-scope.
Logan Connolly referenced this ticket in commit 8ae951a.