As Terence knows, I made a Twitter app which (optionally) uses OAuth. I know that the OAuth connections page exists and I understand that changing my password does not automatically revoke any OAuth tokens that have already been approved. A typical user has a much narrower understanding of how OAuth works. I do agree that this is a security issue and that it needs to be clearer to users that simply changing their password is no longer enough to block someone from using their account. IMO an automatic revoke of all tokens is too disruptive. Dossy gets it spot on when suggesting that if you change your password then you should be given some information about OAuth and how to further protect yourself.