This is a pretty common question. When you log into a droplet using a password for the first time you are prompted to change the password. The order of the prompts tends to cause the confusion.
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:YBYfJDspFnXNezUUGCYlirlBPcjXbA4bcO9j0hG3eYI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
Here we have entered our temporary password the first time.
You are required to change your password immediately (root enforced)
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
Changing password for root.
(current) UNIX password:
Here we have entered our temporary password the second time.
Enter new UNIX password:
Here we have entered our new password the first time.
Retype new UNIX password:
Here we have entered our new password the second time.
The common problem is that after logging in with their temporary password people see "Changing password for root" and try to enter the new password they want instead of verifying the current one first.