Very interesting article on the subject http://www.petefinnigan.com/weblog/archives/00001198.htm by Pete Finnigan with even more insightful comment.
In short while the Oracle database allows implicitly to change user's own password without any additional grants one may block this with leverage of the before alter
on database trigger. But the truly "professional" approach here would be to use the Oracle password verify function declared with profile. This one allows for fine-grained selction of password change commands without any conditions - here one may easily decide which user profiles are allowed to change own passwords and which are not.
My personal concern here was bound mainly with securing this ability from proxy users - without that function the proxy user is allowed to change the password of the schema to which one acquired proxy connection privilege, so not knowing the password is not that restrictive (one may change it).
With the properly constructed password verify function we have nice combo here.