The current user can change her password in Settings > Password.
As long as TLS is not configured for the Web Management Console, passwords are sent clear-text over the network. To set up TLS see Enabling HTTPS.
If enhanced password policy is enabled for the user directory this user belongs to, then the new password must fulfil the password complexity requirements listed on the 3.3.3. User directories page.