When an nis password is changed for a user that is currently logged into X 
and using xscreensaver with a password required, they can use their new 
password and old password to unlock the screen until they log out and back 
in again (at which point they can only use the new password to unlock the 
screen).

I tired logging in from a console and through telnet with the old password 
once I noticed this, and was unable to.  So it looks like the problem is 
with xscreensaver caching the password someplace.  Could this possiblely 
allow a local process to retreive a user's password from any locked 
displays?  This kind of seems like the motivation for not allowing the 
root password to unlock the display anymore (you could do it in redhat 
6.2, but not in 7.0)