It is not best practice or even good practice to use HTTP to accomplish password changes. I highly recommend that you enable HTTPS to make sure passwords do not pass over the Internet in plaintext.
It is added to our to-do list.
AdminSandy_diigo (Admin, Diigo ) commented
Thanks for your advice. It is done.