Password Manager resets passwords by signing into the target system with its own privileged password, looking up the relevant login account, setting the password attribute for that user and logging off from the target system.
At least one privileged ID/password is encrypted into the Password Manager database for each target system.
On systems that support it, the credentials used by Password Manager can be given limited privileges -- the right to list users, to search for users, to reset passwords and to set/clear flags such as intruder lockout.
Communication from user devices to Password Manager is HTTPS, so encrypted with SSL/TLS.
Communication from Password Manager to managed endpoints uses the various native protocols supported by each type of endpoint. i.e., the protocol used has everything to do with the type of endpoint system and what it "understands" and not much to do with Password Manager. Where communication to the endpoint is insecure, a Password Manager proxy server can be co-located with the endpoint system, so that most of the communication path (from main Password Manager server to proxy) is encrypted and the "last mile" uses that system's insecure protocol. Main server to proxy communication is TCP/IP with a shared key and 256-bit AES.
For z/OS mainframes, a local agent is also available, to eliminate the need for scripted TN3270 sessions. Communication to this local agent is encrypted (as above).