when a session drops after a password change, the client tries to reconnect every couple of seconds, which causes the bad password counter to go up rapidly, and could lock the account. I think this needs throttling, or possibly just unmount on bad password errors.
Well, we can't really unmount at that point -- mounting is controlled at a different layer. Throttling is probably doable -- the reconnect behavior of cifs.ko in general needs some work.