My suggestion is that when passwords are changed, they should boot the account offline if it is online and prompt them to put the new password in.

When passwords are changed while the account in question is still logged into the game, the user can continue playing with no interruption and is not required to enter the new password until they log off again. This is such a huge security flaw. My close friend had his email hacked and somehow they managed to bypass the secure advanced account protection and were able to get into his account and steal his items. He immediately changed his password in the hopes that the hackers would be booted off before they got to his prized possessions but was greeted with his valuables looted and his world stolen.