I just noticed the token returned is always the same. I expected to get a different token back all the time which expires after some time. If somebody spies out this token all the users data is exposed which is a serious security issue.
Changing the password invalidates all existing tokens.
I looked for a mitigation of the security issue by regenerating the token on regular base. But if the token is generated from the password this doesn’t work 
Looking for an answer for my question 1 now 
I don’t think it is generated from the password. You can delete it from the database manually.
Makes sense SF is smart enough to generate a new token when there doesn’t exist a token for a user in the DB.
I just checked the DB and found two tables:
api2_token and api2_tokenv2 which have a different schemas. Both have a key. Do you know why there exist two tables?
.schema api2_token
CREATE TABLE IF NOT EXISTS “api2_token” (
“key” varchar(40) NOT NULL PRIMARY KEY,
“user” varchar(255) NOT NULL UNIQUE,
“created” datetime NOT NULL
);
.schema api2_tokenv2
CREATE TABLE IF NOT EXISTS “api2_tokenv2” (
“key” varchar(40) NOT NULL PRIMARY KEY,
“user” varchar(255) NOT NULL,
“platform” varchar(32) NOT NULL,
“device_id” varchar(40) NOT NULL,
“device_name” varchar(40) NOT NULL,
“platform_version” varchar(16) NOT NULL,
“client_version” varchar(16) NOT NULL,
“last_accessed” datetime NOT NULL,
“last_login_ip” char(39), wiped_at datetime DEFAULT NULL, created_at datetime NOT NULL DEFAULT ‘1970-01-01 00:00:00’,
UNIQUE (“user”, “platform”, “device_id”)
);
I think api2_token was there before and is not removed because it would unsync all devices using an old token.