8

Upon setting up app-passwords, Google sends a mail:

This app password will allow you to access your Google account from a device or application that can only be configured with a username and password, rather than a username, password and a verification code.

A "Google account" is literally linked to hundreds of applications eg Google Apps, Google Search, Gmail, Google Docs, Google Calendar.. so what does "access your Google account" mean?

Are all Google app-passwords equal?

What can a trojan/rogue application who has secured an app-password do to you?

Anders
  • 64,406
  • 24
  • 178
  • 215
Pacerier
  • 3,253
  • 6
  • 34
  • 61

2 Answers2

1

Google hasn't publicly disclosed the scope of app passwords, but there are a few things we can reasonably deduce about them.

One way is to review Google's help information about them. Note especially this caveat:

On the "Signing in to Google" panel, choose App Passwords. If you don’t see this option:

[...]

  • You’ve turned on Advanced Protection for your account.

This confirms that App Passwords, by their very nature and by design, sidestep multi-factor authentication. To mitigate the risks of doing this, Google app passwords have two key benefits (for both the user, and for the Google ecosystem as a whole):

  1. Google app passwords are hard to guess (unrelated to anything about the user) because they are randomly generated, and long. This makes it less likely for an attacker to guess a weaker set of credentials.

  2. Google app passwords are unique per instance (but it is up to the user to ensure that a unique one is used for each separate device and/or application!). This minimizes the impact of exposing one app password (because if one use case is compromised, the other App Passwords don't need to be changed.)

Fastmail's post on MFA and App Passwords is a very good overview of the implications in more detail.

With MFA and Advanced Protection enabled, only some protocols and use cases (such as POP3/IMAP email clients) are allowed to use Google App passwords. I can't use a Google App password to log in interactively to the Gmail web interface, modify my Google Account, or otherwise perform activities that require account-wide privileges - but I can use email clients.

And from my testing, you can use any app password interchangeably with any other. There's no way to lock them down to specific applications yourself. The labels you can give them in the Google interface are cosmetic/advisory only.

This probably means that rogue use of an app password is limited to what can be exploited using any protocol that doesn't require MFA (e.g., reading or deleting all of your email).

But unless you're using Advanced Protection, that may mean just about everything.

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
-2

As far as I know the app-passwords can have access only to mail. So a rogue application will have access to all of your emails and will have rights to send emails on your behalf.

Yehuda
  • 202
  • 1
  • 6
  • 1
    Wrong. App passwords have access to chat, calendar, email, files in Drive, contacts...pretty much everything except (possibly) changing settings. I'm not even 100% certain you can't change settings using an app password. It's really a "key to the kingdom" just like your normal password, except it doesn't require the 2FA code. – Ben Mar 26 '18 at 16:40