The password attribute of the User entity shouldn't be used as this is the actual, hashed, password. In case you want to change / edit / create a new user password, use the AccountPasswordData entity in the Administration module
The more generic answer is that the password attribute is of type hashed string. Hashed strings are a security measure and it is generally a best practice not to allow users direct access to them in the UI, which is why we screen them from the connector. As Paul Ketelaars already stated you should probably make use of the attribute by proxy rather than passing it directly.