[mpobrien]

>Most access tokens expire in two hours, but some tokens work offline and remain valid until the user changes the password, Doshi said.

FB users can just go into their authenticated applications list and revoke access tokens on a per-application basis. Changing passwords shouldn't be necessary - that's the whole point of access tokens.

[ceejayoz]

Not only is it unnecessary, it won't do anything. One of the big points of access tokens is that they survive password changes, so a user can change their credentials and not have to reauthorize a few dozen apps.

[tantalor]

"If the user changes their password, the access token expires" [http://developers.facebook.com/docs/authentication/]

[ceejayoz]

That's not the case if `offline_access` has been requested.