Don't use $_POST to check for changing variables

I believe the problem is that aes_user_alter is using $_POST instead of getting the data from $edit.

$_POST is a variable that the webserver gives to PHP so PHP can respond to forms that are POSTed. In Drupal's hooks it is considered a bad practice to do that because it means that code will break when there is other code that uses the API to create a user (e.g. from Ubercart or Migrate).

Yes, totally fixable. It will require some effort by the AES maintainers to figure out where those same variables are stored in the arguments to the hook functions instead of relying on the $_POST.

There's a comment about why module uses POST directly - password already hashed so only POST contains user data

Thanks @andypost for your information!

Let us do the following (and correct me if I am wrong here).
1. this particular ticket going to be closed since it works as designed;
2. in case there is a need to mass update all users passwords and store them in the format accessible by AES, I think separate ticket should be created; this definitely should be doable with separate dedicated form; alternatively we may force some/all users to change password by adding a new option like 'reset password' to selector on page 'admin/people'.
3. in case there is a need for per-user password update probably we may introduce a new field on some system form and store unencrypted password here, but this is not a nice from security point of view, so we better don't do this.

OTOH you will need user_load() in submit handler