App-Specific Passwords - Security benefit?

Can someone explain me the security benefit of app-specific passwords? I‘m struggling to wrap my head around them because:

  1. „App-specific“ is misleading as you could theoretically use one app-specific password for multiple apps. It would be unwise to that but there is nothing preventing you from entering an app-specific password in two apps/services. This means that the password does not become invalid for another login.

  2. I don‘t really get how the security benefit manifests. At first, it circumvents the 2-factor protection. Second, if I use something like Sanebox with my .iCloud adress, I would enter an app-specific password instead of my real password. But afaik, this password just prevents Sanebox from knowing my actual password and they would still have access not only to my e-mail but also to everything else that is iCloud-related. Or am I missing something? Unfortunately, Apple’s documentation is not that helpful…

Can someone offer an explanation? Thank you! :slight_smile:

Just in case: I am not assuming that Sanebox would spy on my iCloud data, I just used them to give an example of what I think could theoretically happen.

App-specific passwords are generally generated with a good amount of entropy and randomness. The ones I have are provided by the service, and whatever input I give will be fed through a hashing algorithm. This is not the only thing used to create the hash, so you will not get two identical app-specific passwords even if your input is the same. Different services may also use different algorithms and routines to produce the hash. (You probably know that hashing is a cryptographic one-way process that cannot be reversed to find out what the input was.)

It does circumvent 2-factor, true. However, your email app will not be able to check for new email in the background if it needed you to provide the second factor every 5 minutes.

The upside is that if you loose control of the device, you can revoke all app-specific passwords used for it, without disturbing service on your main account and additional devices you might have. You could argue that the second factor has already been given to the device through TouchID or FaceID.

Not sure about iCloud, but I find it unlikely that Sanebox would get access to all your files on iCloud Drive and the rest of iCloud just because you gave it access to read your email. There should be granularity enough to confine it to email.

Every time I try to get out of Airmail Beta and get back into regular Airmail I have a problem with one account that wants an app-specific password. I try to follow all the instructions to the letter but it always causes multiple problems so I guess at this point you could say I’m not a fan

Thank you for your explanation!
However, regarding iCloud, I cannot find any way to granularly grant permissions to an app/service. As far as I can tell, there is just the possibility to create and delete an app-specific password on Because of this, the only benefit seems to be that I can revoke one of these passwords to lock one app/service out of my iCloud account and not to prevent an app/service to access data I do not want them to have. :confused:

1 Like

FastMail offered a nice explanation on their blog today:

Thank you very much, rob!

So, in the case of FastMail, I fully understand the benefit because they offer the granularity to just allow certain types of data (e.g. mail) to be access with a certain app-specific password. This way, the implementation makes sense.

However, I‘ve taken another look at Apple‘s website but it still seems to me that such granularity is not available there which I find really odd. Has someone found a way to restrict access to e.g. iCloud Drive / Contacts / Calendar based on which app-specific password a service uses?

Following up on this topic: I have tried to find more information about the security of App-Specific Passwords and found this article which basically confirms my worries:“application-specific-passwords”-aren’t-application-specific/

They circumvent two-factor authentication and allow access to the whole account (if not prevented by some system like Fastmail does). So, don‘t get confused by the name and be careful with them.

Also, at least with iCloud, the app-specific passwords are relatively short (e.g. in comparison to what’s possible with password generators) and there is no way to increase their length.