It is possible that "/etc" is mounted on a ramdisk (or as tmpfs), which
allows you to change the password at runtime but the changes are not
propagated to the actual passwd and shadow files. The "/etc" is remounted
on bootup from a flash device causing the old settings to be used.
After logging in to the system execute mount and check where "/" or
"/etc" is mounted, then check the type. A value of tmpfs will prove the
statements above. Also check if "/etc" is a link to a folder in "/var".
"/var" is usually on tmpfs.