aam_change_passwords

This capability is managed by the Additional Caps service that is enabled by default in the free AAM version. You can toggle this service on the AAM "Settings" page under the Services tab.

The aam_change_passwords is a custom capability that you create manually. Upon creation, all privileged users and roles that have the ability to manage other users, and do not have this capability explicitly granted, will not be able to change other users' passwords on the Edit User page.

The capability is deeply integrated with the WordPress core functionality and leverages the show_password_fieldsopen in new window filter to hide password fields on the Edit User page.

In addition, it uses the WordPress core check_passwordsopen in new window action to wipe incoming credentials if the user tries to bypass HTML form or leverage RESTful API.