After changing Microsoft password, one can still login to previously authenticated Windows devices with old password indefinitely. Why?

Microsoft Account

Although it's harded to find official online documentation on this, it seems to work similarly as with the Active Directory domains described below. According to Microsoft Specialist Guide to Microsoft Windows 10 (Exam 70-697, Configuring Windows Devices) by Leon Plesniarski & Byron Wright:

Cached credentials are also used when you selct to sign in with a Microsoft account in non-domain networks. Cached credentials for Microsoft accounts ensure that you can sign in when your computer does not hace access to the Internet.

Top Password Software, Inc. has this blog post that states (for Windows 8):

The cached logon credentials will never expire itself. If you change your Microsoft account password online via https://login.live.com, the cached logon credentials won’t update until you successfully log in to Windows 8 with the new password. After you have successfully logged in to Windows 8 with the new password, you cached logon credentials are updated.

This seems quite reasonable: if the computer completely loses network connectivity (due to hardware failure or configuration error) and there's no local administrator accounts available, you'd completely lose your access to the operating system on password expiration. This also renders you unable to fix the network connection required for checking the new credentials over the Internet.

Despite the cache doesn't expire based on time limits it doesn't mean you can use all your previous passwords, as the new password will replace the previous during the first login with it. This way, a password change invalidates the old credentials; not just at the moment you expected it.

As, starting from Windows 8.1, Microsoft has disabled WDigest and enabled LSA Protection by default, it's less of a problem to store the credentials locally. More information e.g. on Preventing Mimikatz Attacks by Panagiotis Gkatziroulis.

Active Directory Domains

From Cached and Stored Credentials Technical Overview:

Windows logon cached password verifiers

These verifiers are not credentials because they cannot be presented to another computer for authentication, and they can only be used to locally verify a credential. They are stored in the registry on the local computer and provide credentials validation when a domain-joined computer cannot connect to AD DS during a user’s logon. These “cached logons” or more specifically, cached domain account information, can be managed using the security policy setting Interactive logon: Number of previous logons to cache (in case domain controller is not available).

A user can't use the old cached verifiers once

  • the domain-joined computer has been able to contact a DC during a logon for the user, caching the new domain account information
  • more users than specified in the "Number of previous logons to cache" policy have logged in after the user.

However, there seems to be no time based limit for this cache to expire. You could set the number of users to zero, but then no-one would be able to login if there's no DC available. This would probably be ok for most in-office desktops, but not so good with laptops.