You mentioned that you secured xampp. Assuming you did this through the security link from the xampp admin page, it should behave as described above. If not, then I should ask how you secured it. Go to http://localhost/xampp/
and select "security" from the navigation pane.
What makes you think that passwords can be changed by someone else?