Although I disagree with the premise of your question, sometimes we have to implement functionality to be compliant with (security) frameworks: I've built something like this in the past.
My first suggestion is to try the native Mendix route: when a user changes his password, retrieve all sessions of that user from the database and delete them. I haven't tested this approach, but this should work.
Alternatively, when a user changes his password, destroy all of his sessions by executing the following Java code.
Collection<? extends ISession> iSessions = Core.getActiveSessions();
for (ISession iSession : iSessions) {
if (iSession.getUserName().equals(userName)) {
iSession.destroy();
}
}
// END USER CODE
NB: in the Java code above, you should have an input parameter userName, which is a String filled with the value of $currentUser/Name.
In both of these cases, since the session is destroyed server side, the user will not notice anything until he performs another action. I would suggest using the URL Redirector widget to redirect the user back to /index.html of your app.