Wikimedia Bugzilla is closed!

AuthPlugin::setPassword is currently declared to use a single parameter,
$password. That makes no sense because an implementor of that method (e.g. in a
custom AuthPlugin) does not know whose user's password is supposed to be changed.

Also, the code in SpecialPreferences correctly invokes the method with two
parameters: $user and $password.

I suspect somebody got confused or copy-pasted from class User: there,
setPassword indeed only takes a single $password argument (because it is applied
to the User object which obviously knows what user it refers to).

While very easy to fix, I have taken the liberty to make this a major-severity
bug because it likely confuse countless AuthPlugin developers sooner or later.