Found the issue, in the _change_password function it's using set_value to pull the contents from POST, set_value encodes characters automatically. So instead I changed those to pull from $this->input->POST instead.
Patch diff attached.
And I fully understand the "use it as an example and write your own implementation", I have done that for the controllers where it was too messy to unpick the code, but a lot of the functions that are in the models (like _change_password) are pretty much core to an authentication plugin so I'm not going to completely reinvent the wheel (if I wanted to do that I'd have written my own authentication piece in the first place) - and yes I can copy/paste them into my own models but then if updates are made in the code repo to fix bugs etc. then I'd have even more work to do to fix that.
Maybe some of that core functionality that's in the examples should be moved more central into the plugin/library?