How are you handling auth? Given just these five actions that you need to perform, I would expect you could get away with using Basic Auth and HTTPS. I'd expect an endpoint for /users and /users/{id}. Creating a user would happen by POSTing to /users. Updating the password and active status would be handled with PUTs, PATCHes, or micro-PUTs (e.g. /users/{id}/password).
Of course, if this is part of a more complex application, using Basic Auth might not be viable. In that case, I'd strongly suggest using an existing library to handle auth rather than rolling your own. Security is hard enough for the people who do it every day. The rest of us have no real chance.
Eric