Yes, this is correct.
When the user first registers they have to be able to set a password so they can login initially.
once they are logged in, they go to the profile page.
If they wish to change the password _after_ logging in, they can click the change password link on the profile page.
If they dont set a password on the registration page though, they will have no way to login.