Hi, I know I'm an idiot. Most people are. Good security design requires you to fit to your users' expectations and limitations or invest heavily in educating them. It's why writing down passwords is often more secure than choosing weak, but easily memorable passwords. People are idiots and can't remember things. In this case, OAuth tokens are a completely new way of thinking for most users. Twitter should take that into account when asking them to reset their passwords. Tell me, assuming you use OAuth, how would you tell which one of your previously authorised sites was compromised? T PS You'll notice a distinct lack of adverts on this site - I'm not sure what good SEO would do me. Unless you want to buy me something from my Amazon wishlist?