Gmail with an App Password (Shallow Thoughts)

Gmail with an App Password

In 2022 I wrote about Sending Mail via Gmail using OAuth2.

But it turned out that Google expires OAuth2 tokens on a weekly basis. So if you use that method, once a week you'll have to bring up a browser, log in to your Google account and go through the five or so pages of re-authorizing. Which will invariably happen when you're in a hurry and just wanted to send a quick email so you can move on to other things.

However, it turns out there's an easier way, which apparently doesn't expire: App passwords. I switched to using app passwords back then (I've been using that app password since then), and I even wrote it up, and then forgot to post it. What a dingbat!

But I changed my GMail password recently, and it turns out when you change your Gmail account password, Google revokes all app passwords you've set up (and, of course, doesn't bother to tell you that, and the error message you get when you try to sign in with the old app password has nothing whatever to do with the actual problem, which is that your app password has been revoked and you need to create a new one).

So I dug out this old never-got-posted article and used it to make a new app password, and have updated the parts that were a little out of date.

First, 2-Step Verification

Google only lets you use app passwords if you have 2-Step Verification enabled for your Google account. (If you've already set up 2-Step verification, you can skip to the next section.)

There's a trick. Google really wants you to use SMS (text) messages to your phone for your second factor. However, that's not a secure method since it's vulnerable to SIM swap attacks which you can't really guard against, since it's a social engineering attack rather than a technical one.

However, secure or not, Google insists on having a phone number it can text or call in order to set up 2SV. As far as I can make out, it's only used once, and then you can remove the phone number from your account. A Google Voice number works.

Once you've gotten the SMS and typed in the code, you're taken to a page where you can add "second steps" including an Authenticator App option that will show you a QR code you can use in an OTP app like FreeOTP+, Authy or whatever (you don't have to use Google Authenticator, even though their prompts seem to imply that).

They don't automatically offer you backup codes, but once you've enabled the OTP app, you can go back to the "second step" screen and get a set of backup codes there.

Set Up an App Password

Once you have 2-Step Verification set up, it's time to set up your App Password. In the 2-Step Verification page (if you already had 2-step verification enabled so you skipped the past section, go to your profile's Security page and click on 2-Step Verification), click on App passwords. Choose a name for the app/device combo and click on Create. You'll get a string with sixteen characters, displayed as four groups of four, but if you copy/paste, you get just one 16-character password. Update: I wrote the above in 2022. In 2024, copy/pasting keeps the spaces, but the password with spaces seems to work okay in my .msmtprc.)

Nobody talks about what to do next, like how to configure msmtp with an app password, and it turns out that's because there's nothing to it: just put the app password wherever you would have put a regular password, and use your username@gmail.com as the user.

That kind of blew me away: Google considers regular passwords insecure and makes everyone jump through hoops rather than use them; but if you set up 2FV and an app password, suddenly passwords are fine, and you don't need to use the 2FV.

It's kind of a head-scratcher. But in any case, using an app password is easy, and they don't expire — except when you change your password.