With the threat from a group of hackers to wipe out thousands of iCloud accounts, securing those accounts has become even more important. We have urged users change their iCloud passwords. We also explained how you can turn on two-factor authentication (2FA), one of the most secure things you can do on any account. Once you enable 2FA, though, you might notice certain third-party apps asking for an App-Specific Password. Let’s walk through the process of getting one.
When Do I Need an App-Specific Password?
Third-party macOS apps that require access to your iCloud account will likely need app-specific passwords. BusyCal, Fantastical 2, Airmail 3, and Newton Mail all require app-specific passwords to connect to iCloud accounts. Those are just a few examples. Any third-party app that doesn’t natively support two-step verification or two-factor authentication will need an app-specific password to connect to any of your iCloud services.
Setting Up an App-Specific Password
To establish an app-specific password, you’ll need to log into your Apple ID account page, preferably from Safari. Once signed in, look towards the bottom right of the page, in the Security section, for an option called App-Specific Passwords. Click Generate Password to get started.
The web page will tell you what app-specific passwords are for, and allow you to enter a password label. Input whatever you want here, but my standard practice is to type in the name of the app the password is for.
Next, Apple’s web page will provide you with an app-specific password. Highlight the entire password and copy it, either by pressing Command-C or right-clicking the highlighted password and choosing Copy.
Now, return to the app needing the app-specific password. In the password field for your account information, paste the password you copied before. You can paste either by pressing Command-V or right-clicking inside the field and choosing Paste.
A Limited Number of App-Specific Passwords
Apple allows you to maintain up to 25 app-specific passwords. In the unlikely event that you run out, you can review which apps you have credentials for and revoke those you aren’t using. To do this, go back to your Apple ID account page. To the right of the Security section, click Edit.
On the next page, you’ll see another section labeled App-Specific Passwords, with an option to generate a new one. To the right of that option, find the link View History, and click it.
A pop-up menu listing all of your active app-specific passwords will appear. If you see one that you no longer use, you can revoke it by clicking the ‘X’ next to it.
Finally, Apple will ask you to confirm that you want to revoke the app-specific password. Click Revoke, and you’ll go back to the list of app-specific passwords. You can click Done and then close the browser window.
Safeguard Your App-Specific Passwords
Apple doesn’t provide you with any way to recover your app-specific passwords, so it’s a good idea to use a password manager to store them. Alternatively, when you forget one, you can simply revoke it and issue a new one.
vpndev – I believe that invalidating app specific passwords when the primary password is changed is the right way to do it. In the same manner that all login tokens are invalidated. ie. after a password change every connection must be specifically re-authenticated.
Some other services, like Dropbox I think, allow you to change the password and not affect existing connections which takes us to the security versus convenience balancing act.
Is there is a list of apps that can be password protected?
Gripe: if you change your iCloud password, as you’re often prompted to do, that invalidates all your app-specific passwords.
So you need to go around and do those all over again.