When a user is updated via REST, the user resource only saves the user account but doesn't actually update their password when specified.
The quick fix would be to validate the password using OpenmrsUtil.validatePassword and then call UserService.changePassword after saving the user if the password not blank. This should only be allowed if the authenticated user is the same user whose password is being changed.
Preferably the validation logic should be added to wherever the rest module does its validation so that the errors get send back in the response i.e check the resource to be of type UserAndPassword and then validate the password
When a new user is getting created, we need to call saveUser(User, password) which was changed to saveUser(User) in 2.0 and you need add oldPassword and secretAnswer fields to the UserAndPassword class.
When updating the user password, the user needs to provide their oldPassword or secretAnswer, override update method in UserResource1_8 and check if the password field is present, if it is then you need to change the user's password, you might need to include some restrictions to avoid brute force attacks. You might need a new one for 2.0 sub project since the changePassword methods might vary.