Getting and setting passwords is currently controlled by the UserProvider class. This is broken because the only logic that needs to get/set the password is authentication code. In fact, AuthFactory is invoking a method in UserProvider, which is obviously broken.
The methods should be moved to AuthProvider. All existing auth and user providers will need to be updated.
NOTE: this change breaks existing provider implementations. Normally, we would not want to make these sorts of changes, but this is an important one to get right and now's our chance with the 3.0 release.