5
When using Google's 2-step verification with services that can't use it, such as mail clients on smartphones and desktops, the solution is to create application-specific passwords for those services. Doesn't that make things less secure than just using one password as this opens up the account to more than one password?
ihatetoregister
Posted 2012-01-13T08:35:16.197
Reputation: 291
4
The idea is to use multiple application-specific password for each login you require. That way, if your laptop is compromised (for example), then you can just revoke the app-specific passwords you used on your laptop. It also means no-one can use an app-specific password to lock you out of your own account (as you can't use app-specific password to login to the web UI).
Have a look at my answer here for a better explanation.
Just to clarify: You can't login to any Google service using an application-specific password as the password but you can get access to the web UI if you click View Inbox in Google Notifier or Google Talk (I don't know any other programs that have this function).
eg. Going to mail.google.com and using username: john.doe@gmail.com
and the password: ztff jskp qdzm ofzw won't work.
OrangeBox
Posted 2012-01-13T08:35:16.197
Reputation: 290
2
I haven't done extensive testing, but this is what I've seen so far.
Application specific passwords are sometimes more limited than to "one application." For example, on my Palm Pre, I have to use one password to receive mail, and one to send. Same with on Thunderbird.
Plus they are only displayed once. Notice that after you enter in the password, you can no longer retrieve it through the Google Accounts UI. If you typed it in wrong, you have revoke the old one and issue a new one.
In the end, secure enough to be annoying. That's usually secure enough.
surfasb
Posted 2012-01-13T08:35:16.197
Reputation: 21 453
1They can't change your master password through one of the application-specific ones can they? So why would it be less secure? The passwords are also random gibberish, so its not like you should try to remember them – Ivo Flipse – 2012-01-13T08:47:23.513
2For me, 'application specific' is extremely misleading. How exactly is is specific to one application? There are no restrictions on how many applications can use this password, nor is there any type of 'role' restriction. As far as I can tell, it gives full access to your account. – UpTheCreek – 2012-04-19T07:18:55.623
1I can only assume what they mean is that they are specific to applications in general, not to a specific individual application. From what I've tested you cant change your account password using an app specific password. I wouldnt say it gives full access, but it does give anyone who has access to your computer full access to your emails. But this is just the same as using outlook without 2-step verification - the only difference being your master password isnt stored on your computer. – OrangeBox – 2012-04-24T05:38:39.487