What version of Oracle are you using... assume pre-9i because you are able to "connect sys"
If I remember correctly, the filename for the password file should be of the format "orapw<SID>" and in the dbs directory.
Also, when you installed the database, did you change the SYS password by using:
ALTER USER SYS IDENTIFIED BY oracle
As to the "problem" you are encountering:
When you log in as SYS AS SYSDBA with the REMOTE_LOGIN parameter to anything but NONE, you enable OS authentication to occur. This means that a user can log into the database if he/she is one of the following: the owner of the Oracle process (program), or a member of the same group of process owner.
In either instance, authentication (i.e., password verification) does not occur within the database, but Oracle relies on the OS to make sure the user logging in has been validated. What this means is that eventhough Oracle asked you for a password, it already assumed a valid connection and didn't actually require the password.
When you simply CONNECT SYS, you are going directly to the database and whatever password SYS has been assigned in the database (not the orapwd) is going to be used.