I was wondering why we can not set user password via the user_update method. Email can be updated this way, and a bad app could then use the http://twitter.com/account/resend_password form to steal some twitter accounts.
Maybe the user_update method shouldnt be able to update email. Or maybe creating a third access level would be an option (read, read / write, update email or password)..
