Application-specific passwords (app-specific passwords) are computer-generated 16-character passcodes that give a less-secure third-party app or device permission to access your cloud-based account. App-specific passwords) allow you to securely sign in to your account when you use third-party apps with your account.
Why Application-Specific Passwords Are Necessary
Two-factor authentication (also called two-step verification or 2FA) requires two things to log into your account. You have first to enter your password, and then you are prompted to enter a one-time-use code. This code is often generated by a smartphone app sent via SMS or emailed to you. For some, it may also be generated on a physical security token device such as RSA SecureID.
Ordinarily, you enter your password, and then you are prompted for the one-time code. You enter the code, and your device receives a token that considers the application or browser authenticated or something like that — it doesn’t actually store the password.
However, some applications aren’t compatible with two-step verification. For instance, let’s say you want to use a desktop email client (such as Outlook or Thunderbird) to access your email. These email clients work by asking you for a password. They then store that password and use it every time they access the server. There’s no way to enter a two-step verification code into these older applications.
To fix this, MailSafi, Google, Microsoft, Apple, and various other email hosting providers that offer two-factor authentication also offer the ability to generate an application-specific password.
In this case, you then enter this password into the application — for example, your desktop email client of choice — and that application can happily connect to your account. Problem solved — applications that wouldn’t be compatible with 2FA now work with it.
Are App-specific Passwords More Secure than Passwords?
Application-specific passwords are certainly an advancement in account security over user-generated passwords. Theoretically, purely because of their length (16-characters), they can be considered more secure than most user-generated passwords, which average about 8 characters.
Also, using application-specific passwords is better than giving every application your primary password. Application-specific passwords maintain a high-security level and help ensure your primary password won’t be collected or stored by any third-party apps you use.
You’ll use an app-specific password for any mobile, desktop, or browser app that requires access to some parts of your data, such as the email in your mailbox, the events in your calendar, or the addresses in your contacts. This way, your primary login credentials are never shared with another service provider or stored on their servers.
However, the name may also provide a false sense of security to many people. This name is misleading because although it suggests that the generated passwords can only be used on one app, it is actually possible to use the same password on multiple applications or devices. It would not be wise, but then again, nothing stops you from doing it. It is just bad practice to do so.
Deriving the Benefit of App-specific Passwords
To derive the intended security benefit of using application-specific passwords, you should not reuse the passwords across applications or devices.
You need to generate a new application-specific password for each application you use. With most services that offer app-specific passwords, you’ll only have to enter an app-specific password once per application or device. Therefore, you don’t need to worry about memorizing it.
That’s why MailSafi, Google, Apple, and other services don’t allow you to view these application-specific passwords once you’ve generated them. They’re displayed only once (when you generate them). You are then supposed to enter them in the application, and then you ideally never see them again. The next time you need to use such an application, you need to generate a new application password.
This does provide some security advantages. When you’re done with an application, you can choose to “Delete” or “Revoke” the related application-specific password and that password will no longer grant access to your account. Any applications using the old password won’t work.
Unlike backup codes, application-specific passwords can be used forever — or until you manually delete or revoke them.
MailSafi cloud-based email service offers app-specific passwords in both MailSafi Basic and MailSafi Enterprise.