What is the username / password I need to use for OAuth token generation ?
Your username and password obtained during signup to the Developer Portal should be used to generate OAuth token.
How long does a password last? If I embed it into an app, will I need to change it every month?
Passwords for the developer portal will expire 90 days after creation, or last change. As your Developer Portal password is the same as the Sandbox password, the same applies to passwords used by API Apps.