Users can change their password within Web TimeSheet, under their User Preferences however, this can be controlled from their permission profiles, by the administrator. If users use the Web TimeSheet internal authentication, then they can change their password without help from the administrator by making use of the Forgot your Password? option on the login page however, if you use a SAML authentication type, then the users will not be able to change their password.