The wording is kind of ambiguous, but it seems that App-Specific Passwords will continue working
> If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device.
> All Other Applications. If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.
It wasn't 100% clear to me either. The wording clearly says SMTP will support app passwords, but no clear indication if IMAP will still support them.
But I asked Google Workspace Support specifically about this yesterday, and they said:
> The application passwords will support IMAP, POP, and all SMTP configurations. Rest assured that OAuth serves as an alternative, offering a straightforward configuration process for any third-party application.
The second sentence was just them continually pushing adopting OAuth. I'd love to, but the cost of the (recurring) security review is not feasible for our small SaaS app, so we'll be sticking with app passwords (thankfully).
Any decision that limits my ability to use third-party apps, accepting, etc. is a compromise not worth making.
It sounds like there is a feature for generating additional passwords for specific apps/scopes?
Anyway. Forced 2fa without warning has locked me out of several Gmail accounts. I didn't know when migrating took Proton that you must use their client for mobile.
It is (or was) a good way to go. Receiving an email from a scanner or sharing something with an app on Google Drive is a lot more secure than OAuth + "This app will have access to EVERYTHING IN YOUR GOOGLE DRIVE"
At a certain point, you'll have apps and devices that have (or have no) permission to use someone else's account that was previously under your control.
> "This app will have access to EVERYTHING IN YOUR GOOGLE DRIVE"
I automate things all the time. If you want ChatGPT to provide feedback on a document, the above is what I've got to work with. If I want a web app to maintain a spreadsheet, again, that's what I've got.
I'm not giving away anything to anyone when I locally install and configure an email client on my computer to access my gmail email account. It's my software I control on my computer.
The idea that people should only use a google application to access google email sounds crazy to me but I understand the situation is different on smartphones where you aren't in control.
You have to trust the email client's developers to not be malicous, to not write insecure software, to not get hacked, and not sell to someone malicous. And on desktop it's worse since they are less secure as programs can typically read each other's files meaning some random program can read your Google account password that the email client is using.
I don’t mind two step authentication using TOTP but as soon as you sign in to an android device with a google account, google decides to use that device for two step authentication and there’s no way to stop that short of signing out of google on the device.
But also how do app specific passwords protect you if you have malicious software on your computer rifling through your files?
App-specific passwords are limited to just a couple of services, so somebody stealing one of them can cause a lot less damage than if they got the actual Google password. The app-specific passwords are going to be unique rather than something you've reused on dozens of services, so the password being stolen won't be automatically pivoted to compromising your other accounts. Finally, their use can be audited, and each app-specific password can be revoked independently of each other and of the credentials giving full access to the account.
It's the very same with trusting Google, and my trust in Google is much, much lower than my trust in the developers of the applications I use. Google is a fairly untrustworthy company, which is why I don't use Gmail personally. Unfortunately, I'm forced to use it at my university.
If I believed in conspiracy theories, I'd say that Google encourages the security theater* industry to make you distrust your devices so they can have all your data.
* There are real security vulnerabilities, and there are end-of-the world articles that try to make you believe the whole world is at risk via some complex exploit that requires the attacker to obtain local root some other way.
I still access my personal Gmail account via the Microsoft Exchange option in my iPhone's Mail.app and I get push notifications this way rather than being stuck with Fetch.
The reason it still works is that connections made to Google Sync for personal accounts prior to the discontinuation date like 10 years ago are still honored and "grandfathered" if you will.
So to get it to work I just need to modify the Exchange GUID in my iPhone to what the GUID was on my phone back when I logged into Google Sync before they discontinued new logins.
Fortunately changing this GUID is possible by taking an iPhone backup, modifying a plist file in the backup, and restoring that backup to the phone.
So right now, on my iPhone 14 Pro, I am still using Mail.app with push notifications to my personal Gmail account.
My heart skipped a beat when I read this — I have various scripts and things that interact with Gmail.
But it's okay. App passwords will still work, it seems. This is just removal of "Less Secure Apps" support, using the account's plain account user/password.
I shudder to think how much automation would die if Google truly killed off everything but OAuth.
I don't like the complexity OAuth. I enjoyed this Perl module documentation[1] that breaks down how the dang thing works, clearly written by someone as exasperated as me (:
Assuming the attacker doesn't have a leaked database of hashed passwords and therefore can't run the brute force on a local database. I want my account to be secure even if there is a leak which has been the standard for authentication for more than a decade.
16 letters is ~75 bits of entopy (if they are randomly selected), not 65. The usual recommendation is 80, but it's not as bad as you say. I don't know how Keepass is doing its math, but 65 is wrong.
Obviously the estimate is wrong when the password will always have a fixed length and a randomized character set. But KeePass doesn’t know that “pass word pass word” is following set rule. Perhaps parent commenter ran the calculation on an example with a run or common word within it.
You’re right it’s 75 bits for the format used by Google here.
65 bits is incredible amount of entropy. Why do you think that's not enough? I'm using 10 characters passwords of lowercase letters almost everywhere and I think that's absolutely enough.
2 ^ 65 / 20 / 365 / 86400 = 58 494 241 735
I don't think Google would allow you to bruteforce account using 58 billions of attempts per second for 20 years.
Whether 65 bits is sufficient depends on your attack scenario. I agree that Google won't allow you to try that many passwords, but for other scenarios, 65 bits might not be enough.
For example, imagine that OP is reusing passwords across different websites as most people are doing. One server gets hacked and the SHA256 password hashes get leaked, which unfortunately is still common. Currently, the best bitcoin miners can hash in the order of 10^14 hashes per second, which amounts to just 2^65 / 10^14 / 86400 ≈ 4 days of hashing. To be fair, bitcoin miners usually are not suitable for password hashing, but I'd be surprised if the NSA does not have 1000s of similar devices somewhere. Is that a realistic scenario? Probably not. But it is certainly a technical possibility.
A lower case password with 10 characters is not sufficient at all. Anycone could bruteforce that in a day with just one modern GPU.
They don't get the benefit of the doubt. I've lost count of how many times these agencies have been caught illegally spying only to apologize and keep doing it in secret. There's probably even a Wikipedia page of all the whistleblowers.
Even if they don’t have free reign over every bit of data (unlikely), there are certainly automated systems that will give them free access to any account they wish upon delivery of a rubber stamped “warrant”, signed by an anonymous “judge” in a secret court.
When data leak occurs, nobody's going to brute force random passwords. They'll use dictionary attacks. Using SHA-256 is strange. Some websites store clear text passwords. Some websites store bcrypt hashes. Why do you focus on SHA-256? Is there some kind of statistics that this particular kind of hash is common among hacked websites?
I agree that it depends on attack scenario. My scenario is: I expect website owners to find out about attack in a timely manner and disable all compromised accounts. Of course I won't reuse single password across different websites. Also I feel that most important websites nowadays require SMS or E-mail factor when logging in from another device, so this further decreases requirements for strong password.
And, of course, I don't expect to be targeted by government. They'll just hit my head with wrench until I unlock my iPhone, that would be cheapest attack on me, independent on password length.
> When data leak occurs, nobody's going to brute force random passwords.
People will absolutely bruteforce random passwords. There are entire communities (like hashmob net, not sure if I am allowed to link it directly) devoted to cracking as many hashes of breaches as possible. Dictionary attacks will get you most of the easy passwords, but are quickly exhausted.
> Why do you focus on SHA-256?
I chose this hash because, thanks to Bitcoin, we know how fast specialized hardware to compute that hash can be.
> Is there some kind of statistics that this particular kind of hash is common among hacked websites?
It's not the most common. That would sadly be MD5. But SHA-256 is not rare either.
> They'll just hit my head with wrench until I unlock my iPhone, that would be cheapest attack on me, independent on password length.
It's not a password, it's an API Key. A GUID is 16 bytes represented as 36 characters with hypens but we consider those secure. Even Stripe's private keys are kinda short but their restricted keys are not.
They're more secure than "Welcome2024!", which is what you can expect most people to use. 16 letters is more than secure enough, you can't brute force that. They're guaranteed to be unique passwords that aren't used on other services, so credential stuffing is no longer a threat.
This is an inconsequential change to people who use password managers, but it'll help against credential stuffing attacks for the common user.
Uppercase + numbers + special characters will only give 1.3 more bits per character. 26 possibilities is 4.7 bits, so each additional lowercase letter adds enough entropy to make up for the alphabet size of 4.7/1.3=3.6 characters.
So roughly speaking, 16 lowercase letters has about the entropy of 12 characters with a larger alphabet. That seems ok to me; 12 characters is pretty decent. Certainly not laughable.
With an alphabet of 64 possible characters, you have 12lg(64)=72 bits for 12 random characters.
With an alphabet of 26 possible characters, you have 16lg(26)=75 bits for 16 random characters.
And the "random" part that allows the lg(possibilities) calculation is enabled by not allowing you to set the passwords yourself.
Of course, 75 bits only gives you about 100 billion users × apps before you start hitting birthdays—er, collisions—so hopefully they're not using the passwords as unique keys anywhere! (But why would they?)
I just hope that Gmail itself (as client) becomes something other than a Less Secure App. Right now I have to keep that LSA switch going so that my main Gmail account can SMTP send mail with credentials from my other many Gmail accounts. I've never understood why Gmail itself is a LSA in the eyes of other Gmail accounts.
I don't know why it is that, but I know why it was that at one time, quite long ago: One team had set terms for what avoids LSAness, another team hadn't updated some code to match the new terms.
I had been wanting to read a document on OAuth as I have several things in pipeline where OAuth would be involved and the link you posted is just timely and perfect - so thank you!
If you can’t switch to OAuth, you can use my proxy to allow any IMAP (or POP/SMTP) client to be used with a “modern” email provider, regardless of whether the client supports OAuth 2.0 natively: https://github.com/simonrob/email-oauth2-proxy. No need for your client to know about OAuth at all.
The provider might notice that their key is being used in an unauthorized way and terminate your account, prosecute you for computer fraud and abuse, etc.
I think this is the only assured way to interop, as I expect Google may try to kill other competing apps (specially in mobile) that does not capture user data or generate data points for its ads.
I wonder if any intentional limitation here should not trigger some of the EU Digital Services Act provisions for interoperability ... in this list [1] I see Google Play, Maps, and Shopping but not GMail!
There's no good way around that unfortunately. The proxy could build in an OAuth client for the major providers, but it's unlikely that this would be trusted by default without significant effort being put into review processes.
As the readme explains, there's nothing to stop you using the existing OAuth client details from another source (such as the many already trusted open source email clients that exist).
Yes. I'd argue the problem is not on the project's side, it's on the Google side (they have ridiculously high requirements for registering OAuth clients for IMAP/SMTP use, especially for a small open-source project).
This is surprisingly non-shitty by Google. I must admit that I didn't know that before. Can you limit such a passcode to just IMAP/SMTP, or can it be used to log in to other parts of Google?
This passcode is inherently limited to the service it bound to (IMAP or POP3), that's the whole point: don't expose your account password to something which only needs a finer-grained access.
You're directly contradicting your sibling comment. I guess I'll experiment with this in the coming days, although I'm a little worried tinkering too much will just completely lock me out of my account.
This is all about getting users off of the fantastic native mail apps and onto googles own. You can’t get realtime mail notifications without gmail.app or the soon to be deprecated Google sync. I hate it. I pay Google for workspace and I hate it. At least Mimestream still works on desktop but I bet they’re coming for that soon too.
Yes, it's pretty obvious this is what's going on. The solution to these "less secure apps" was to simply generate stronger passwords for them instead of making the user jump through hoops by using oauth2 proxies, especially for older hardware/software.
Fully agree. Also paying for my gmail account and hate every moment of it but nobody seems to be able to get remotely close to gmail for spam handling.
After two years of using Fastmail as my primary account, in my effort to de-Google in 2022, spam recognition at Fastmail seems to me to be on a par with Gmail, if not better. I still use both.
I use Fastmail for 5+ years now. Initially I feared that the experience would be worse than Gmail (with regards to the Web UI, to spam filtering, etc). It is not. It really is much better!
Agreed, Fastmail is pretty good at spam filtering. My Gmail account is pretty much full of spam nowdays which seems to suggest Gmail's spam filtering isn't that great.
What makes me really mad is that I mark a sender as 'not spam' over and over again in Gmail and where does it keep going? Spam. I have a bunch of system emails and I can't convince Google to just give me my damned mail.
It’s a good, standard protocol with unreasonably low adoption because of the chicken and egg problem between mail providers and mail applications. If Gmail supported jmap it would encourage implementers everywhere to support it. And jmap supports notifications and all the rest.
I agree, but why would Google adopt it when they have their own proprietary protocol with similar functionality? Companies love anything that makes them more "sticky", whether it's good for the user or not.
Outlook 2007 users can use app passwords to maintain access. This is about users running Outlook 2007 with their main app password stored to their account database, rather than a randomly generated, email-specific password.
Oauth isn't that hard to implement. It requires a WebView as part of the setup process, but after that the mail app just needs to store a token as a password and it'll keep working.
Oauth for email is part of the various RFCs pertaining to email authentication and has been around for years.
Thunderbird and various mobile apps support Gmail just fine using Oauth. I think the bigger problem is that many desktop apps seem to have stopped implementing changes to IMAP and SMTP about ten years ago.
If you have an email app that's no longer maintained, use app passwords (generated per-app passwords), like Google is indicating in the linked article. Those will still work. It's just the hardcoded username/password for the main account that's going away.
This will be a major pain for the Office 2016 users, as 30 september is still about nine months before their Outlook goes out of support, but for most users this will be quite a easy fix.
They want the power to add arbitrary extra steps in the login flow.
For example, maybe they want to force the user to change a compromised password, or hand over their phone number, or complete a captcha, or accept a load of legalese.
You can do this without a webview in your application, but it usually means giving the user an URL to open in their own browser.
Doesn't google explicitly forbid a WebView for oauth?
The point is to not have users entering their google credentials into third-party apps, and a WebView is still entering your credentials into a third-party app. The app has to open the google login page in a real browser, not a WebView.
Hardware keys are a second factor. But if you allow passwords to be compromised just because there is a second factor, then you're back down to one-factor auth and you've solved nothing
Fido keys can also be used without password or even an account name (but with pin which becomes the second factor in that scenario). They are very resistant to phishing because they do a challenge response every time that's bound to the domain name of the requesting site. So typosquatting tricks won't work. The private key is generated and stored in the token and they are very resistant to extraction.
In general it's way safer than a password that can be intercepted and reused by anyone who knows it.
but we're talking about google's implementation here, where fido keys are only a second factor. and in google's implementation, allowing passwords to be compromised means compromising your security, because their authentication flow is based around having more than just one factor.
Well. Hardware keys are just hardware keys. They can be used as a second factor, they can be used as a third factor, they can be used as the only factor. It's not immediately obvious that using only a password is less secure than using only a hardware key.
I would say that if you use your fingerprint to unlock the hardware key on your smartphone, then you have two factors: one needs to both steal your smartphone (for the hardware key) and copy your fingerprint.
I suppose it technically doesn't require a WebViee, but that's the easiest solution in most cases.
I'm not sure how you're going to implement Google's 2FA in a non-WebView solution, but if you can get the right UI and data flows to work, I'm sure you can do without.
So you can't read your mail from a platform that doesn't have a web browser installed...
Edit: to be more clear: so you can't read your mail from a platform that can't run or embed a modern web browser. For example... a command line only system without a GUI.
Sure you can, you just have to complete the OAuth2 login on a different device (e.g. phone) and then forward the token to the device which has no web browser.
On the phone itself the WebView limitation is worked around via deep linking (start Browser from App and once logged in start App from Browser with token).
There are tons of different ways how to do this actively being used.
It's a long, random password, that you generate anew for each application that needs it: one compromised app can be revoke quickly without affecting other.
But more importantly, app password can only be used for email, not other Google's service, so even if it gets leaked, the impact is severely reduced.
Your account password is too powerful, for example, it allows anyone who knows it and can provide the 2FA to change non-email settings, such as the preferred languages, the list of bank cards attached to the account, see the places visited, read and modify Google docs, or change the password. The app-specific password has a scope attached to it, and can thus be used only to do what the app needs to do, without any possibility to take your entire account over.
It's a password that allows access to email, but not to the "change my Google password" page, or to push app installation to the Play Store, or to invite other people into Google Meet links. These passwords are contained to very specific APIs surrounding email and Caldav and such.
That means you're not completely screwed when your Outlook password database gets stolen by malware.
As a user, it also allows you to revoke an application remotely without having to change your password and log in to every device again. One click of a button and new emails won't appear on a lost laptop or phone, even if they manage to bypass the screen lock. It's all about risk management.
I appreciate that we all have different bugbears, but realtime mail notification isn't going to get me off Thunderbird. Email is asynchronous, and therefore finding out 10 minutes later about a message coming in shouldn't be a problem. If I'm expecting the message then I'll be mashing refresh until it arrives, anyway.
If you need me more urgently, text me. Don't call. I don't like calls.
Same, native iOS Mail app in my case. I get Gmail notifications only when connected to power and Wi-Fi (can be set to a time interval too but I’d rather conserve my battery). When I expect a mail, I open the app and it auto refreshes until the mail comes.
Been dealing with Microsofts OAuth transition at work, and it's been a bit of a PITA.
Part of the problem is that it's just so opaque. You send the token and the server replies "nope", with no further explanation.
I spent literal days trying to figure out why Client Credentials-flow didn't work until I found an answer buried on their help forum saying oh yeah, client credentials flow isn't supported yet. It is now for IMAP/POP, but still not for SMTP IIRC (though OAuth is not requiredfor SMTP yet).
Next it was figuring out the right scopes, which at the time was not very well documented. Again not very helpful error messages by the servers.
> Part of the problem is that it's just so opaque. You send the token and the server replies "nope", with no further explanation.
Catch-all HTTP 401s and 403s are there to thwart https://en.wikipedia.org/wiki/Oracle_attack - unfortunately, servers cannot afford to be "helpful" when it comes to unauthenticated clients.
Yeah some development servers that didn't actually send the mail anywhere but did give usable error messages for example would be amazing.
To avoid it being used as an attack vector they could be tied to special app registrations that had to be registered with the mail development system in advance.
It's important to note here that OAuth isn't one thing anymore like it was for OAuth 1. With OAuth2 it's more like OAuth is a toolset for implementing your own proprietary protocol. Each major provider needs it's own custom implementation in email clients to cover it. There's no general purpose oauth2 in practice. OAuth2 is more like a per-corporation protocol.
Lets hope they don't sunset "app passwords" for at least a few more years. If you haven't yet, consider setting up your own mailserver for kicks and using it for non-important things to build IP reputation for when public email stops being email entirely.
I haven't been able to get `offlineimap` working with gmail in at least the last six months. If anyone has been successful, please let me know. The blog posts I've found all have out of date information. If I'm locked into their cloud, I'd at least like to have a backup of my data--
and no, I don't want the takeout service, the Maildir format and features of offlineimap are what work great!
And I migrated away all my accounts from Google in anticipation of it being more and more user hostile.
Honestly, if I were still at Google, I would be outraged. In the name of false security, they make the wall around their garden taller and thicker every single day.
I will do everything in my power to pressure my university to migrate their email accounts to another service.
This is anti-competitive behavior designed to make it as hard as possible to use email client software. For example, check the procedures needed to set up oauth2 in my preferred client claws-mail.[1] That's insane.
We use gmail at work and they warned our IT department that App passwords were deprecated and would be removed at some point (there was a previous deadline but it has been extended to a non-specific point in the future).
We had the same communications with Google that encouraged us not to use App Passwords, and hinting at a future removal. Plus the fact that App Passwords expire when the Google Account password changed, means you can’t count on the App Password working.
We are a large enough organization with that we have 25 years of use cases beyond “People Reading in their Inbox”. Printers and scanners have been mentioned. But we also have email used to automatically move data between systems.
Sometimes this is due to limitations of third party systems, sometimes we have to decide does it make sense to invest the time to rewrite a well tested tool that uses POP.
So we have decided to a standards based POP, IMAP, SMTP email service for these automated systems. It takes much less time to configure and test swapping POP server info than migrating to OAUTH
"Tip: App passwords aren’t recommended and are unnecessary in most cases."
"Tip: Don’t create an app password unless the app or device you want to connect to your account doesn’t have 'Sign in with Google.'"
"To help protect your account, we revoke your app passwords when you change your Google Account password."
"Tip: If the app offers 'Sign in with Google,' we recommend you use that feature to connect the app to your Google Account."
"If you use a non-Google app and can't sign in, the app's sign-in process might not be secure. Try to update to the latest version of the app and use 'Sign in with Google,' if it’s an option."
Yeah, no problem at all. I'm sure it's going to work flawlessly and effortlessly.
My SO uses GMail and anything but Thunderbird it's a hellish nightmare to setup.
On the HN comments about "but my secUrity"... who cares. Get a good and long password and use TLS everywhere. This is enshittification and pure EEE tactics against public standards and free sofware email clients and yet these careless users applaud it.
> This is anti-competitive behavior designed to make it as hard as possible to use email client software
Use App password. They are not blocking any 3rd party clients. Are you advocating using real password in every random client that may or may not transmit it in full text elsewhere?
I will do that if our university decides to switch on 2-factor authentication (which would be total chaos), but my trust in Google's ability to make this effortless and easy in third-party email clients is zero. See my other post why.
Regarding security: Google had physical fiber optics connections to the NSA and claimed they didn't know about them. It's not a very credible claim but if if was true, then it would be proof that Google has no competence in security at all.
Any decent 3rd party client does this already. Take for example, thunderbird or k9-mail - major open source ones. Even Mail (from Apple, macOS) does this. What else you need? Sure if you use mutt or ALPINE read the related forums for help.
while anyone can criticise any large company one should do it for the correct reasons.
Your frankly-speaking somewhat condescending reply fails to address the issue. This has nothing to do with the client software, which is claws-mail in this case. My organization does not enable 2-factor authentication. Once they do, claws-mail can be configured to use "App passwords."
But if you look at my other post, quotes of Google's own documentation of "App passwords" and various testimony in this thread do not inspire much confidence that this will work as an acceptable long-term solution. As I said elsewhere, the rationale behind all of this seems to be anti-competitive behavior. It's not new idea to disguise anti-competitive behavior as security issues (cf. e.g. Apple's code signing and Gatekeeper). This also explains the misleading and incorrect term "Less Secure Apps" Google uses.
I read through your website and I don't understand what your service is. You sorta seem like an email host but seem to very intentionally and carefully not advertise as an email host.
It's shameful how far we've gone down this path. My university is using Microsoft Exchange and they refuse to allow IMAP access even with Oauth2, only allowing you to use proprietary protocols. So far I've only seen Evolution and Thunderbird working (with a paid plugin for the latter). I think it's a means to exert control on your email usage. For example, most sane clients do not show images by default, which prevents various types of tracking pixels from working, whereas Outlook doesn't do this afaik.
"Microsoft Outlook is configured by default to block automatic picture downloads from the Internet. You can, however, unblock pictures that you think are safe to download."
It would be great if Google supported rfc8414 and rfc7591. Right now most MUAs hardcode credentials instead of auto-discovering/registering/configuring them and decline to implement those standards "because the big boys don't support them". The practical result is that one cannot use oauth2 on their domain easily: the MUA needs to be told about which set of oAuth2 creds to use.
> An app password is a 16-digit passcode that gives a less secure app or device permission to access your Google Account. App passwords can only be used with accounts that have 2-Step Verification turned on. [1]
Isn't it funny, how the "less secure app or device" is completely on par with OAuth-capable apps regarding security just by using a server-side mechanism Google could have promoted since… forever? Almost as if it technically isn't a feature of the app at all.
(Yeah, I get it, "apps where the secure workflow is less convenient" doesn't have the same ring to it, so the simplification is justifiable for easy communication – you will say. The greater problem is that it is kind of Google's thing to always interpret security concerns in such a way that it furthers Googles agenda and this puzzle piece is no exception.)
> just by using a server-side mechanism Google could have promoted since… forever?
Google has been pushing 2FA and App Specific Passwords for many many years. They’re just now making it mandatory for apps that can’t update to support oauth
> Isn't it funny, how the "less secure app or device" is completely on par with OAuth-capable apps regarding security just by using a server-side mechanism Google could have promoted since… forever?
They aren't on part though, Oauth is vastly less phishable and has vastly more control over specific permissions. App passwords are functionally all-or-nothing, whereas with OAuth you can configure whether something can read, modify, change settings, etc.
I host my own email server, and I want to tell that with a static IP with reverse dns, spf, dkim and dmarc I had zero issue delivering mails. It might sound complicated, but it is not that hard.
True! Also you can pay 2 €/month to Hetzner/$webhosterofchoice and have them handle that for you... No need for Google after all is what I want to say.
275 comments
[ 5.6 ms ] story [ 289 ms ] threadAlready before the LSA would disable and you would need to go into the settings to re-enable it all the time.
Everything old is new again, we’re running services locally just to make legacy work.
The one at my work sends the PDF as an attachment, from its own email address.
> If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device.
> All Other Applications. If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.
But I asked Google Workspace Support specifically about this yesterday, and they said:
> The application passwords will support IMAP, POP, and all SMTP configurations. Rest assured that OAuth serves as an alternative, offering a straightforward configuration process for any third-party application.
The second sentence was just them continually pushing adopting OAuth. I'd love to, but the cost of the (recurring) security review is not feasible for our small SaaS app, so we'll be sticking with app passwords (thankfully).
I think this hasn't worked for accounts that have had 2FA for quite some time. I remember having to switch several years ago.
It sounds like there is a feature for generating additional passwords for specific apps/scopes?
Anyway. Forced 2fa without warning has locked me out of several Gmail accounts. I didn't know when migrating took Proton that you must use their client for mobile.
All these violations of abstraction!
a) I have apps with their own Google accounts
b) I have devices with their own Google accounts
It is (or was) a good way to go. Receiving an email from a scanner or sharing something with an app on Google Drive is a lot more secure than OAuth + "This app will have access to EVERYTHING IN YOUR GOOGLE DRIVE"
> "This app will have access to EVERYTHING IN YOUR GOOGLE DRIVE"
Then don't use such app
https://developers.google.com/drive/api/guides/api-specific-...
I automate things all the time. If you want ChatGPT to provide feedback on a document, the above is what I've got to work with. If I want a web app to maintain a spreadsheet, again, that's what I've got.
Granular permissions = more secure.
The idea that people should only use a google application to access google email sounds crazy to me but I understand the situation is different on smartphones where you aren't in control.
But also how do app specific passwords protect you if you have malicious software on your computer rifling through your files?
It minimizes the blast radius if it is compromised. A Google account provides access to much more than just email.
Most consumers do not know how to check source code for backdoors. Most consumers do not know how to compile from source.
>Also, passwords in mail clients are often encrypted.
Which means they have to be decrypted at some point. Malicous software can decrypt it itself, or steal it after it has been decrypted.
* There are real security vulnerabilities, and there are end-of-the world articles that try to make you believe the whole world is at risk via some complex exploit that requires the attacker to obtain local root some other way.
I still access my personal Gmail account via the Microsoft Exchange option in my iPhone's Mail.app and I get push notifications this way rather than being stuck with Fetch.
The reason it still works is that connections made to Google Sync for personal accounts prior to the discontinuation date like 10 years ago are still honored and "grandfathered" if you will.
So to get it to work I just need to modify the Exchange GUID in my iPhone to what the GUID was on my phone back when I logged into Google Sync before they discontinued new logins.
Fortunately changing this GUID is possible by taking an iPhone backup, modifying a plist file in the backup, and restoring that backup to the phone.
So right now, on my iPhone 14 Pro, I am still using Mail.app with push notifications to my personal Gmail account.
But it's okay. App passwords will still work, it seems. This is just removal of "Less Secure Apps" support, using the account's plain account user/password.
I shudder to think how much automation would die if Google truly killed off everything but OAuth.
I don't like the complexity OAuth. I enjoyed this Perl module documentation[1] that breaks down how the dang thing works, clearly written by someone as exasperated as me (:
[1] https://metacpan.org/dist/LWP-Authen-OAuth2/view/lib/LWP/Aut...
I ran into the same problem and one workspace disallows App passwords. You can simply get the OAuth token with a little python script and then use it as the password: https://github.com/google/gmail-oauth2-tools/blob/master/pyt...
(see for example https://github.com/lefcha/imapfilter/issues/186)
I have a few scripts and dev environments that use App Passwords to send email via Gmail SMTP!
16 lowercase letters (in groups of 4 separated by space), no numbers, no special characters.
Keepass evaluates this as a weak password with 65 bits of entropy (if spaces are removed)
How is this an improvement?
*unless you take this password after it's generated and start reusing it in other services, but that is pure self sabotage
The examples in their docs show that a run of characters “aaaa…” only has an estimate of 7 bits:
https://keepass.info/help/kb/pw_quality_est.html
Obviously the estimate is wrong when the password will always have a fixed length and a randomized character set. But KeePass doesn’t know that “pass word pass word” is following set rule. Perhaps parent commenter ran the calculation on an example with a run or common word within it.
You’re right it’s 75 bits for the format used by Google here.
2 ^ 65 / 20 / 365 / 86400 = 58 494 241 735
I don't think Google would allow you to bruteforce account using 58 billions of attempts per second for 20 years.
For example, imagine that OP is reusing passwords across different websites as most people are doing. One server gets hacked and the SHA256 password hashes get leaked, which unfortunately is still common. Currently, the best bitcoin miners can hash in the order of 10^14 hashes per second, which amounts to just 2^65 / 10^14 / 86400 ≈ 4 days of hashing. To be fair, bitcoin miners usually are not suitable for password hashing, but I'd be surprised if the NSA does not have 1000s of similar devices somewhere. Is that a realistic scenario? Probably not. But it is certainly a technical possibility.
A lower case password with 10 characters is not sufficient at all. Anycone could bruteforce that in a day with just one modern GPU.
https://www.zdnet.com/article/google-the-nsa-and-the-need-fo...
1)https://krebsonsecurity.com/tag/emergency-data-request/ 2)https://news.ycombinator.com/item?id=30842757
This list does exist.
https://en.wikipedia.org/wiki/Global_surveillance_whistleblo...
I agree that it depends on attack scenario. My scenario is: I expect website owners to find out about attack in a timely manner and disable all compromised accounts. Of course I won't reuse single password across different websites. Also I feel that most important websites nowadays require SMS or E-mail factor when logging in from another device, so this further decreases requirements for strong password.
And, of course, I don't expect to be targeted by government. They'll just hit my head with wrench until I unlock my iPhone, that would be cheapest attack on me, independent on password length.
People will absolutely bruteforce random passwords. There are entire communities (like hashmob net, not sure if I am allowed to link it directly) devoted to cracking as many hashes of breaches as possible. Dictionary attacks will get you most of the easy passwords, but are quickly exhausted.
> Why do you focus on SHA-256?
I chose this hash because, thanks to Bitcoin, we know how fast specialized hardware to compute that hash can be.
> Is there some kind of statistics that this particular kind of hash is common among hacked websites?
It's not the most common. That would sadly be MD5. But SHA-256 is not rare either.
> They'll just hit my head with wrench until I unlock my iPhone, that would be cheapest attack on me, independent on password length.
I agree, rubber-hose cryptanalysis can be very cost-efficient. https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Fortunately, many governments are opposed to this kind of cryptanalysis, but YMMV.
FWIW that's impossible in this context since:
> you cannot set app passwords yourself
Though more generally, password reuse is indeed a problem regardless of entropy.
That would be foolish, but users do all sorts of foolish things.
I don't see the difference.
> A GUID is 16 bytes represented as 36 characters with hypens but we consider those secure.
That's about twice as many bytes. That's an exponential difference in security.
This is an inconsequential change to people who use password managers, but it'll help against credential stuffing attacks for the common user.
Uppercase + numbers + special characters will only give 1.3 more bits per character. 26 possibilities is 4.7 bits, so each additional lowercase letter adds enough entropy to make up for the alphabet size of 4.7/1.3=3.6 characters.
So roughly speaking, 16 lowercase letters has about the entropy of 12 characters with a larger alphabet. That seems ok to me; 12 characters is pretty decent. Certainly not laughable.
With an alphabet of 64 possible characters, you have 12lg(64)=72 bits for 12 random characters.
With an alphabet of 26 possible characters, you have 16lg(26)=75 bits for 16 random characters.
And the "random" part that allows the lg(possibilities) calculation is enabled by not allowing you to set the passwords yourself.
Of course, 75 bits only gives you about 100 billion users × apps before you start hitting birthdays—er, collisions—so hopefully they're not using the passwords as unique keys anywhere! (But why would they?)
That's not weak?
Because Google isn't special-casing itself (which is a good thing).
You can enable 2FA on the other accounts and then use app-specific passwords, which will allow you to disable the switch.
(Remind me, what's stopping me from extracting the client secrets from the compiled binary, and re-using them elsewhere?)
I wonder if any intentional limitation here should not trigger some of the EU Digital Services Act provisions for interoperability ... in this list [1] I see Google Play, Maps, and Shopping but not GMail!
[1] https://en.wikipedia.org/wiki/Digital_Services_Act#Very_larg...
As the readme explains, there's nothing to stop you using the existing OAuth client details from another source (such as the many already trusted open source email clients that exist).
There is likely a package/library for your language of choice to do a basic oauth client.
If you can't switch to OAuth, you can simply create an app password and continue using that as your IMAP password as usual.
Edit: that's incorrect, see replies.
-- Google, when you make an App Password
Changes to Gmail syncing with other email clients
https://news.ycombinator.com/item?id=38975692
Even so, I will also be using this as a reminder to move my stuff away from Google.
In my case ALL spam goes to inbox (a LOT) and ALL uselfull real emails go to the junk folder (very few).
I truly wonder how they do it. I can't get my head around it.
It’s a good, standard protocol with unreasonably low adoption because of the chicken and egg problem between mail providers and mail applications. If Gmail supported jmap it would encourage implementers everywhere to support it. And jmap supports notifications and all the rest.
This only affects Workspace accounts, so I'm sure the users stuck with Outlook 2007 can call IT to get it working again.
Oauth for email is part of the various RFCs pertaining to email authentication and has been around for years.
Thunderbird and various mobile apps support Gmail just fine using Oauth. I think the bigger problem is that many desktop apps seem to have stopped implementing changes to IMAP and SMTP about ten years ago.
If you have an email app that's no longer maintained, use app passwords (generated per-app passwords), like Google is indicating in the linked article. Those will still work. It's just the hardcoded username/password for the main account that's going away.
This will be a major pain for the Office 2016 users, as 30 september is still about nine months before their Outlook goes out of support, but for most users this will be quite a easy fix.
Why does it require a WebView, btw? Is there a good technical reason for that, or is it just what they happened to do?
For example, maybe they want to force the user to change a compromised password, or hand over their phone number, or complete a captcha, or accept a load of legalese.
You can do this without a webview in your application, but it usually means giving the user an URL to open in their own browser.
The point is to not have users entering their google credentials into third-party apps, and a WebView is still entering your credentials into a third-party app. The app has to open the google login page in a real browser, not a WebView.
Hardware keys are a second factor. But if you allow passwords to be compromised just because there is a second factor, then you're back down to one-factor auth and you've solved nothing
In general it's way safer than a password that can be intercepted and reused by anyone who knows it.
Or am I missing something here?
Some hardware keys like yubikey's generally only prove physical presence of the key. And software implementations exist too.
I'm not sure how you're going to implement Google's 2FA in a non-WebView solution, but if you can get the right UI and data flows to work, I'm sure you can do without.
So you can't read your mail from a platform that doesn't have a web browser installed...
Edit: to be more clear: so you can't read your mail from a platform that can't run or embed a modern web browser. For example... a command line only system without a GUI.
On the phone itself the WebView limitation is worked around via deep linking (start Browser from App and once logged in start App from Browser with token).
There are tons of different ways how to do this actively being used.
But more importantly, app password can only be used for email, not other Google's service, so even if it gets leaked, the impact is severely reduced.
That means you're not completely screwed when your Outlook password database gets stolen by malware.
As a user, it also allows you to revoke an application remotely without having to change your password and log in to every device again. One click of a button and new emails won't appear on a lost laptop or phone, even if they manage to bypass the screen lock. It's all about risk management.
If you need me more urgently, text me. Don't call. I don't like calls.
I'd really rather use 1password for OTP but so few non-tech services support that.
You can also get realtime notifications using IMAP+IDLE+app passwords, although IIRC that'll lag by a couple of seconds.
Are there no servers with free tiers, is it impossible to run your own, does Gmail refuse to pub to a server outside Google, or what's the problem?
Part of the problem is that it's just so opaque. You send the token and the server replies "nope", with no further explanation.
I spent literal days trying to figure out why Client Credentials-flow didn't work until I found an answer buried on their help forum saying oh yeah, client credentials flow isn't supported yet. It is now for IMAP/POP, but still not for SMTP IIRC (though OAuth is not requiredfor SMTP yet).
Next it was figuring out the right scopes, which at the time was not very well documented. Again not very helpful error messages by the servers.
Google's mail servers any better?
Catch-all HTTP 401s and 403s are there to thwart https://en.wikipedia.org/wiki/Oracle_attack - unfortunately, servers cannot afford to be "helpful" when it comes to unauthenticated clients.
I also have burned too many hours trying to get various OAuth flows working.
To avoid it being used as an attack vector they could be tied to special app registrations that had to be registered with the mail development system in advance.
Lets hope they don't sunset "app passwords" for at least a few more years. If you haven't yet, consider setting up your own mailserver for kicks and using it for non-important things to build IP reputation for when public email stops being email entirely.
and no, I don't want the takeout service, the Maildir format and features of offlineimap are what work great!
Does the example on the ArchWiki[0] work for you?
[0]: https://wiki.archlinux.org/title/OfflineIMAP#OAuth2_access_t...
Honestly, if I were still at Google, I would be outraged. In the name of false security, they make the wall around their garden taller and thicker every single day.
This is anti-competitive behavior designed to make it as hard as possible to use email client software. For example, check the procedures needed to set up oauth2 in my preferred client claws-mail.[1] That's insane.
[1] https://www.claws-mail.org/faq/index.php/Oauth2
We are a large enough organization with that we have 25 years of use cases beyond “People Reading in their Inbox”. Printers and scanners have been mentioned. But we also have email used to automatically move data between systems.
Sometimes this is due to limitations of third party systems, sometimes we have to decide does it make sense to invest the time to rewrite a well tested tool that uses POP.
So we have decided to a standards based POP, IMAP, SMTP email service for these automated systems. It takes much less time to configure and test swapping POP server info than migrating to OAUTH
The end user email stays with Gmail.
"Tip: App passwords aren’t recommended and are unnecessary in most cases."
"Tip: Don’t create an app password unless the app or device you want to connect to your account doesn’t have 'Sign in with Google.'"
"To help protect your account, we revoke your app passwords when you change your Google Account password."
"Tip: If the app offers 'Sign in with Google,' we recommend you use that feature to connect the app to your Google Account."
"If you use a non-Google app and can't sign in, the app's sign-in process might not be secure. Try to update to the latest version of the app and use 'Sign in with Google,' if it’s an option."
Yeah, no problem at all. I'm sure it's going to work flawlessly and effortlessly.
Use App password. They are not blocking any 3rd party clients. Are you advocating using real password in every random client that may or may not transmit it in full text elsewhere?
I do assume you know security essentials.
Regarding security: Google had physical fiber optics connections to the NSA and claimed they didn't know about them. It's not a very credible claim but if if was true, then it would be proof that Google has no competence in security at all.
while anyone can criticise any large company one should do it for the correct reasons.
But if you look at my other post, quotes of Google's own documentation of "App passwords" and various testimony in this thread do not inspire much confidence that this will work as an acceptable long-term solution. As I said elsewhere, the rationale behind all of this seems to be anti-competitive behavior. It's not new idea to disguise anti-competitive behavior as security issues (cf. e.g. Apple's code signing and Gatekeeper). This also explains the misleading and incorrect term "Less Secure Apps" Google uses.
We currently serve UMD, Tufts, Swarthmore, and more.
https://forwardemail.net
Commit: https://github.com/forwardemail/forwardemail.net/commit/5942...
"Microsoft Outlook is configured by default to block automatic picture downloads from the Internet. You can, however, unblock pictures that you think are safe to download."
From https://support.microsoft.com/en-us/office/block-or-unblock-...
See https://searchfox.org/comm-central/source/mailnews/base/src/... , https://github.com/thunderbird/autoconfig/tree/master/ispdb and https://bugzilla.mozilla.org/show_bug.cgi?id=1602166
Isn't it funny, how the "less secure app or device" is completely on par with OAuth-capable apps regarding security just by using a server-side mechanism Google could have promoted since… forever? Almost as if it technically isn't a feature of the app at all.
(Yeah, I get it, "apps where the secure workflow is less convenient" doesn't have the same ring to it, so the simplification is justifiable for easy communication – you will say. The greater problem is that it is kind of Google's thing to always interpret security concerns in such a way that it furthers Googles agenda and this puzzle piece is no exception.)
[1] https://support.google.com/mail/answer/185833
Google has been pushing 2FA and App Specific Passwords for many many years. They’re just now making it mandatory for apps that can’t update to support oauth
They aren't on part though, Oauth is vastly less phishable and has vastly more control over specific permissions. App passwords are functionally all-or-nothing, whereas with OAuth you can configure whether something can read, modify, change settings, etc.
(By the way, there are a lot of great e-mail providers other than Google. Often even with a web UI superior to the one by Gmail.)