Call to JFactory::getApplication()->login changes user's password

Question 1

The password itself is not changing, what is happening is that the method hashing of the password prior to storing in the the database has changed. Users with existing passwords with the old hashing have their hashing changed when they login. If you use the JUser API with your authentication system this will work seamlessly, you would only know that it happens if you look in the database.

Question 2

I only briefly reviewed the link you posted with the tutorial, and from first glance this is not the correct way to achieve external authentication in Joomla. You should write an authentication plugin which hooks into core events and seamlessly integrated with the framework.

Although you could most definitely make this approach "work," in the long run, by working against the framework; maintaining the code could become more and more difficult.

The link below is for Joomla 3.2, but the concepts apply. I would recommend reverse engineering existing core authentication plugins.

If you choose to continue with the component approach check out the com_users login controller and model for his they handle login posts. Both should have relevant methods.

http://docs.joomla.org/J3.2:Creating_an_Authentication_Plugin_for_Joomla

Question 3

I figured it out with the help of Elin...

Turned out to be a rehash... In Joomla 2.5.19, (libraries/joomla/user/helper.php) JUserHelper::verifyPassword() is actually rehashing and updating the password in database.

Thank you @Elin. Can you submit you comment as answer so I can accept it :)