Hi, friend.
Keep in mind that the password change must be encrypted before store in database.
The most common scenario is do not bring the password to screen in the User's aggregate. You can use a modal to overwrite the password in database (creating an action to do only that).
If you're talking about a 'reset password' screen, the user must use some kind of token to access the screen.