I have to agree with Terence that this creates a rather large hole. However, the hole exists because it is not immediately transparent to the user that someone other than them self is using that third party site. I'm wondering if, instead of disabling part of the functionality of Oauth (not reauthorizing when the password is changed), Twitter should indicate the IP address, date and time of the last authorization for each application in the connections tab. The user would then have an indication if someone else is using that application. Additionally, having this information on the Control tab is a bit difficult to find. It might be wise to follow the lead of some of the email providers and indicate at the bottom of a primary page the last application which acquired an auth, along with the IP, date and time, if the IP is not the same as the IP accessing Twitter at that moment. Just my two cents