For hosted organizations, users who do not have a token and only use the web application cannot set or change their own passwords. It must be done in the security application. As more moves to the web app, it would be great to allow these users to change their own passwords.