When an nis password is changed for a user that is currently logged into X and using xscreensaver with a password required, they can use their new password and old password to unlock the screen until they log out and back in again (at which point they can only use the new password to unlock the screen). I tired logging in from a console and through telnet with the old password once I noticed this, and was unable to. So it looks like the problem is with xscreensaver caching the password someplace. Could this possiblely allow a local process to retreive a user's password from any locked displays? This kind of seems like the motivation for not allowing the root password to unlock the display anymore (you could do it in redhat 6.2, but not in 7.0)
It caches the crypted string in NIS, IIRC. This would only be accessible by processes run by the same users that run xscreensaver, who can get that string anyways.