By default, the switch has two administrative accounts: manager and operator, both without a password. What probably happens is that you set the manager password, but when you connect to the web interface it will use the operator account (password-less) by default, so not asking for any password.
In order to fix this, and two other things that you might not like: snmp-write with community public standard enabled, tftp server enabled so anyone can fetch the config without password, I use the following steps:
password manager user-name "swadmin" plaintext "admin123"
password operator user-name "operator" plaintext "password123"
no snmp-server community public
no snmp-server enable
no tftp server
Which changes the manager username and password, sets an operator password, removes the 'public' SNMP community and disables tftp. If you need SNMP, you might not want to disable the snmp server, but configure it instead.
From hardening perspective, I'd like to have syslog and ntp timesync configured:logging 10.1.254.20
timesync ntp
no sntp
ntp unicast
ntp server 10.1.254.20
ntp server 10.1.254.28
ntp enable
time daylight-time-rule western-europe
time timezone 60
A document with the name HP - Hardening ProCurve Switches.pdf can be found on the internet which goes even deeper (and was the source of my command-set).
In the case, you want to go even further, search for 'Aruba 2920 Switch Series. FIPS 140-2 Non-Proprietary Security Policy' and find how you can even protect from people with physical access to the switch.
Just setting an operator password would fix your specific issue.