What’s up with app passwords?

Feature tips

Fraser and Alexandra are two of our Support team who help our users out every day. Today they’re talking about the necessity for app passwords, having seen first-hand what can happen if you don’t use our improved security measures.


At FastMail, the security of your account is of paramount importance to us. We’ve spoken about the importance of passwords in the past, and today we’re going to expand upon this further and tell you all about app passwords. One of the most frequently asked questions we’ve been getting in Support is “Why do I have to use an app password?”

We can understand the frustration. You already have a password. Why are we saying you need another one?

Using app passwords

App passwords can prevent an attacker gaining access to your whole account as they can only be used to access your email (and calendar and contacts), not your entire account. Did you know that when you reuse a password you’re taking a risk? If your device is hacked or stolen, or someone just watched you enter a password over your shoulder, your whole account is vulnerable.

Most people don’t want to remember a thousand different complicated passwords. The good thing about app passwords is that they are set-and-forget – you won’t need to remember them or enter them ever again. App passwords are unique 16 character passwords which are automatically generated. Create one for each client you use to access your account.

It’s like putting on a seatbelt when you’re preparing to drive away, a tiny moment’s work to protect you in the event of something unlikely, but devastating should it occur.

We have help pages on managing app passwords, complete with screenshots, and if you’re still confused, the Support team is happy to help you out.

If you don’t use an app password from an app or device, you’ll get an e-mail from us.

IMAP
Screenshot of the notification email when you try to log in to IMAP with your regular FastMail password

This email lets you know why your login didn’t work on your device: you were using your account password, instead of using an app password. It means you are using our improved security system.

What’s wrong with using just one password?

We knew we could do better to help our customers protect themselves from malicious attackers. We often find about half of the users who write in questioning the need for app passwords have accounts that show evidence of having been hacked. This is devastating for our users, and illustrates why we made this update.

We’re not the only ones, either. Apple, Google, and Microsoft have all introduced similar methods to protect their users’ accounts.

What if a hacker gets access to one of your devices?

At one point in time, we’ve all had those heart in mouth moments turning our home inside out frantically searching for our smartphone. We’re panic-stricken for a reason. If our worst fears come true and our device is lost or stolen, we’re exposed. An attacker could potentially access your various accounts, change the passwords and lock you out, leaving you unable to regain access.

The great thing about app passwords is that if you lose your phone, want to sell your computer, or you think your device or software has been compromised, you can immediately revoke the device’s access in your settings for Password and Security. And since your real password is never stored in the device itself, an attacker can’t steal your whole account and change your password to prevent you from regaining control. As well as revoking access to a stolen device, another great feature is that the password provides access to only the data your app needs. This means you can limit the app’s access to just email, or just contact information, or calendar data.

Users who are concerned about hacking can easily view a list of recent logins on your account by following the link at the bottom of the Password and Security page in your web browser. It’s a simple way to tell if you should be worried, because hacked accounts would have logins from places you’re not familiar with – sometimes all over the world. If you view your recent logins and they all seem to be coming from your own home town, it’s likely you have nothing to worry about.

Why don’t you need a one time password for the FastMail app?

Good question! You’ve probably noticed you need an app password for just about any app you can think of, but not FastMail? The FastMail app is fantastic because, unlike third party apps, it doesn’t need to save your password. Once you log in, the server sends our app a long randomised token which it then uses to verify you. It provides all the same benefits of the app password with the beauty of not having to create it in advance.

Changes to security policies can be inconvenient to users, particularly long-term users. Sometimes actions required can seem frustrating, especially when everything is already set up as you like it. But security is a process, not a checkbox. One of our goals is to make these transitions for users as painless as they can be.

For more information, see our help pages on app passwords, setting up a new device, FastMail security upgrades and what to do if you think you’ve been hacked.