When I log in and go to the 'Users' tab I can change any other user's passwords. I don't think there exist any conditions under which it's appropriate for one user to be able to change the password of an existing user.
The easiest fix would be to require the user to enter their current password in order to change their password. That way Alice can't change Bob's password unless she already knows Bob's current password.
This has the added benefit of making our accounts more secure against other forms security threats too (session jacking, for example).
The update rolled out last night addresses this need - thanks for advocating for this feature! You can learn more about it in this article.