So I just changed my password on Pandora, because somehow I keep getting the Linkin Park station re-added. After changing my password, I went to my smartphone to change it, and I didn't have to. I was able to keep playing my music, even add and delete stations without entering my new password.
I am completely shocked that this flaw has gone so long unnoticed. Please mention this to Pandora so they can fix it!
And that's not all. I then changed my email password (Hotmail) on my desktop and I can still RECIEVE AND SEND EMAILS on my smartphone, even the Windows 8 metro app. (I'm on 8.1 but still).
My theory is that once you sign into an app on a device, your account on whatever service generates a random hash, that sends that to your device and let's you log in via that hash, and when you change your password the hash doesn't change. Any other ideas?