This one was new for me, We are working on an Exchange 2007 implementation which serve remote users. During the testing phase we discovered that when users change their password using the OWA they will be able to logon using their OLD and NEW password. !!!!
after some googling we had nothing. MS newsgroups helped us to figure this out.
This behavior is by design. We can change the password in AD, and it will work immediately, but there will be a 15 minutes delay before OWA changing this password. Which means that during this 15 minutes period, we can log on OWA by using both old password and new password.
For the detailed information of this topic, we can refer to this article:
Old password still works after you change it through Outlook Web Access
There is also a method provided by KB267568 to change this default interval.