Application-specific passwords are more dangerous than they sound. Despite their name, they’re anything but application-specific. Each application-specific password is more like a skeleton key that provides unrestricted access to your account.
“Application-specific passwords” are so-named to encourage good security practices — you’re not supposed to reuse them. However, the name may also provide a false sense of security to many people.
Why Application-Specific Passwords Are Necessary
Two-factor authentication — or two-step verification, or whatever a service calls it — requires two things to log into your account. You have to first enter your password, and then you have to enter a one-time-use code generated by a smartphone app, sent via SMS, or emailed to you.
This is how it normally works when you log into a service’s website or a compatible application. You enter your password, and then you’re prompted for the one-time code. You enter the code, and your device receives an OAuth token that considers the application or browser authenticated, or something like that — it doesn’t actually store the password.
However, some applications aren’t compatible with this two-step scheme. For example, let’s say you want to use a desktop email client to access Gmail, Outlook.com, or iCloud email. These email clients work by asking you for a password and then they store that password and use it every time they access the server. There’s no way to enter a two-step verification code into these older applications.
To fix this, Google, Microsoft, Apple, and various other account providers that offer two-step verification also offer the ability to generate an “application-specific password.” You then enter this password into the application — for example, your desktop email client of choice — and that application can happily connect to your account. Problem solved — applications that wouldn’t be compatible with two-step authentication now work with it.
Wait a Minute, What Just Happened?
Most people will probably continue on their way, secure in the knowledge they’re using two-factor authentication and are safe. However, that “application-specific password” is actually a new password that provides access to your entire account, bypassing two-factor authentication entirely. This is how these application-specific passwords allow older applications that depend on remembering passwords to function.
Backup codes also allow you to bypass two-factor authentication, but they can only be used once each. Unlike backup codes, application-specific passwords can be used forever — or until you manually revoke them.
Why They’re Called Application-Specific Passwords
These are often called application-specific passwords because you’re supposed to generate a new one for each application you use. That’s why Google and other services don’t allow you to actually view these application-specific passwords once you’ve generated them. They’re displayed on the website once, you enter them in the application, and then you ideally never see them again. The next time you need to use such an application, you just generate a new app password.
This does provide some security advantages. When you’re done with an application, you can use the button here to “Revoke” an application-specific password and that password will no longer grant access to your account. Any applications using the old password won’t work. The app password in the screenshot below was revoked, so that’s why it’s safe to show it off.
Application-specific passwords are certainly a big improvement over not using two-factor authentication at all. Giving away application-specific passwords is better than giving every application your primary password. It’s easier to revoke an app-specific password than to change your main password entirely.
If you have five application-specific passwords generated, there are five passwords that can be used to access your accounts The risks are clear:
- If the password is compromised, it could be used to access your account. For example, let’s say you have two-factor authentication set up on your Google account, and your computer is infected by malware. The two-factor authentication would normally protect your account, but the malware could harvest application-specific passwords stored in applications like Thunderbird and Pidgin. Those passwords could then be used to directly access your account.
- Someone with access to your computer could generate an application-specific password and then hold onto it, using it to get into your account without the two-factor authentication in the future. If someone was looking over your shoulder while you generated an application-specific password and captured your password, they’d have access to your account.
- If you provide an application-specific password to a service or application and that application is malicious, you haven’t just given a single application access to your account — the application’s owner could pass the password along and other people could use it for malicious purposes.
Some services may attempt to restrict web logins with application-specific passwords, but that’s more of a bandaid. Ultimately, application-specific passwords provide unrestricted access to your account by design, and there’s not much that can be done to prevent it.
We’re not trying to scare you too much, here. But the reality of application-specific passwords is that they aren’t application-specific. They’re a security risk, so you should revoke application-specific passwords you no longer use. Be careful with them, and treat them like the master passwords to your account that they are.