Skip to content
Email Tools

guide · Gmail Security & 2FA

Gmail app passwords: how to create, use, and revoke them

Step-by-step guide to Gmail app passwords in 2026: when you still need one, how to generate it at myaccount.google.com, security risks vs OAuth, and how to revoke it.

Alexis Dollé By Alexis Dollé · ·
Gmail app passwords: how to create, use, and revoke them

Since May 2022, Google has permanently blocked basic username/password access for third-party Gmail connections — a change that quietly broke thousands of older email setups overnight. App passwords are the designated fallback for apps that cannot complete an OAuth flow, but Google itself calls them “unnecessary in most cases” and the setup page is buried behind a working 2-Step Verification requirement. This guide covers exactly when you still need a Gmail app password in 2026, how to generate one in under two minutes, and how to clean up the ones you no longer use.

What is a Gmail app password?

A Gmail app password is a 16-character code that grants a specific app or device access to your Google account without requiring your real Google password. It works only when 2-Step Verification (2SV) is already active — Google will not show you the app password page otherwise. Once generated, the code is shown once and never again; you copy it directly into the app’s password field.

The concept dates back to when most email software handled authentication with a simple username + password exchange over IMAP or SMTP. That model has a fundamental problem: you hand a third-party app your actual Google credentials, which means if the app is breached, your entire Google account is exposed. App passwords were introduced as a partial mitigation — a scoped token that only grants access via IMAP/SMTP, not full account access.

Google describes app passwords this way on its support page: “An app password is a 16-digit passcode that gives a less secure app or device permission to access your Google Account.” The phrasing “less secure” is deliberate and honest — app passwords are a compatibility layer for legacy systems, not a recommended approach.

One critical detail that trips up many users: app passwords are only available if you use standard 2-Step Verification (SMS, authenticator app, or hardware key). If you are enrolled in Google’s Advanced Protection Program, app passwords are disabled entirely. If your Google Workspace administrator has restricted app password creation at the domain level, the page will return an error or simply not load.

Do you actually need one in 2026?

For the majority of Gmail users in 2026: no. Modern email clients, mobile apps, and most desktop software support OAuth 2.0 — the “Sign in with Google” button flow that issues a scoped token without ever touching your password. You need an app password only if you are using software that cannot complete an OAuth flow.

Here is the practical split:

You do NOT need an app password if you use:

  • Gmail in a browser
  • The official Gmail iOS or Android app
  • Mailbird (supports OAuth for Gmail since 2020)
  • Thunderbird 115 and later (switched to OAuth by default)
  • Outlook 2016 and later with a modern auth configuration
  • Apple Mail on macOS Ventura and later
  • Any email client that shows a “Sign in with Google” browser popup during account setup

You probably DO need an app password if you use:

  • Python scripts using smtplib with smtp.gmail.com:587
  • Legacy automation tools (Zapier legacy email nodes, older n8n versions, custom bash sendmail wrappers)
  • Thunderbird versions before 115 without manual OAuth migration
  • Printers or scanners with SMTP-based “scan to email” features
  • Network-attached storage (NAS) devices with Gmail notification email
  • Very old versions of Outlook (2010 and earlier) with no OAuth support
  • Custom CRM or ERP software that hardcodes SMTP authentication

The Less Secure Apps toggle — which previously let these old apps bypass 2SV entirely — was permanently removed by Google in May 2022. App passwords became the only non-OAuth path after that.

How to create a Gmail app password (step by step)

Creating a Gmail app password takes under two minutes. You go to myaccount.google.com/apppasswords, name the app, click Create, copy the 16-character code, and paste it into the app’s password field. 2-Step Verification must be active before this page becomes accessible.

Prerequisites before you start:

  1. 2-Step Verification must be turned on. If it is not, enable it first at myaccount.google.com/signinoptions/two-step-verification. The full setup walkthrough is in our Gmail two-factor authentication setup guide.
  2. You must not be enrolled in the Advanced Protection Program (app passwords are disabled for those accounts).
  3. If you use Google Workspace (a company or school account), your administrator must allow app password creation.

Step 1 — Open the App Passwords page

Go to myaccount.google.com/apppasswords. You may be asked to sign in or confirm your password. If the page shows an error saying app passwords are not available, re-check the prerequisites above.

Step 2 — Name the app

You will see a text field labelled “App name.” Type something descriptive — Thunderbird desktop, Python invoice script, Brother printer. This label is only for your own reference; Google does not use it for access decisions. A specific name matters when you need to revoke the right password six months later.

Step 3 — Click Create

Google generates a 16-character code displayed in four groups of four letters. This is the app password. It looks like: abcd efgh ijkl mnop.

Step 4 — Copy and use it immediately

This is the only time you will see this exact code. Copy it now. When you paste it into the email client or script, remove any spaces — the app needs the raw 16 characters. In Thunderbird, for example, paste it into the “Password” field during IMAP account setup; in a Python smtplib script, assign it to the password variable.

Step 5 — Close the dialog

Once you dismiss the dialog, the full password is gone from Google’s interface. What remains is the label you chose in Step 2, visible on the app passwords management page. If you lose the code, you cannot retrieve it — you generate a new one and update the app.

When you still need an app password

App passwords remain necessary for any software that authenticates over IMAP or SMTP using a username and password, without supporting the OAuth browser-redirect flow. The most common cases in 2026 are legacy scripts, older desktop clients, and hardware devices.

Python / developer scripts

The most common use case. A script using smtplib.SMTP_SSL('smtp.gmail.com', 465) followed by server.login(email, password) will fail with a standard Google password and 2SV enabled. Replace password with the 16-character app password and it works. If you want to avoid app passwords entirely in scripts, look into the Gmail API with a service account or OAuth 2.0 flow — more setup, but the right long-term approach.

Printers and scanners with scan-to-email

Brother, HP, Ricoh, Canon — essentially any mid-range office device with an SMTP email feature uses basic authentication. There is no browser popup on a printer, so OAuth is impossible. App passwords are the correct solution here: create one labelled HP printer office, enter the Gmail address and app password in the printer’s SMTP settings, and the device can send scanned PDFs to your inbox.

Legacy Thunderbird and Outlook configurations

Thunderbird 115 switched its default Gmail auth to OAuth, but accounts originally set up on earlier versions may still use IMAP with a stored password. If Thunderbird prompts for your password again after a Google change, and the prompt is for a password not an OAuth flow, you have a legacy auth configuration. Options: re-add the Gmail account in Thunderbird 115+ (triggers OAuth), or generate an app password and paste it into the prompt.

Outlook 2010 and 2013 have no OAuth support. If you must keep running these versions with Gmail (not recommended), an app password is the only option.

NAS and home server notifications

Synology, QNAP, and similar devices often include an “email notification” feature that requires SMTP credentials. Create a dedicated app password labelled with the device name. Treat it like any other credential: if the device is retired, revoke the password.

Why most modern clients no longer need one

Modern email clients authenticate via OAuth 2.0, which opens a browser window for the “Sign in with Google” flow instead of asking for a password. Google issues a scoped access token to the app — no password is ever shared, and the token can be revoked from your Google account without affecting your Google password.

This shift happened gradually between 2016 and 2022. Gmail blocked Less Secure Apps (basic IMAP/SMTP with your real password) in May 2022, pushing every remaining client to either adopt OAuth or rely on app passwords.

Mailbird, for example, handles Gmail setup entirely through OAuth. When you add a Gmail account in Mailbird, it opens your default browser to accounts.google.com, you approve the permissions, and you are done — no password of any kind enters Mailbird’s storage. The access is scoped to email read/write/send, not your full Google account. If you revoke Mailbird’s access from your Google account security page, the token becomes invalid immediately.

This is materially more secure than an app password. An app password, once generated, has no expiry date and no scope restriction beyond IMAP/SMTP. An OAuth token is scoped, revocable, and tied to a specific approved application.

Try Mailbird free

If you are currently running an older email client that requires an app password for Gmail and you spend significant time in your inbox, switching to a client with proper OAuth support is worth the migration cost. The security improvement is real. See our best email clients for Windows 2026 roundup for a comparison across the main options.

Security: app passwords vs OAuth

App passwords are safer than sharing your real Google password with a third-party app, but meaningfully weaker than OAuth. An app password grants persistent IMAP/SMTP access with no expiry, no scope restriction beyond email, and no automatic invalidation if your behavior changes. OAuth tokens are scoped, expiring, and revocable per application.

What an app password can and cannot do:

A 16-character app password lets the holder authenticate via IMAP (read email, manage folders) and SMTP (send email as you). It does not grant access to your Google Drive, Calendar, Contacts, or account settings. It cannot be used to log into google.com directly.

What it does not protect against: persistence. If a script or app that holds your app password is compromised, the attacker has ongoing read/send access to your Gmail until you revoke the specific password. There is no automatic expiry.

One automatic revocation trigger does exist: when you change your Google account password, all existing app passwords are invalidated. This is a useful emergency measure — if you suspect a breach, change your Google password and all app passwords die immediately. Then audit which apps need new ones.

Practical security hygiene:

  • Create one app password per use case, never reuse across multiple apps
  • Use a descriptive label (not just “Mail”) so you can revoke precisely
  • Review your app passwords list at myaccount.google.com/apppasswords quarterly
  • When you retire a script, device, or client, revoke its app password the same day
  • Never store an app password in plaintext — use environment variables, a secrets manager, or your OS keychain

Google’s official guidance is clear: “App passwords aren’t recommended and are unnecessary in most cases.” The recommendation to use OAuth wherever possible is the right one. App passwords are a compatibility tool, not a security feature.

How to revoke a Gmail app password

To revoke a Gmail app password, go to myaccount.google.com/apppasswords, find the entry by the label you gave it, and click the revoke (trash) icon. Revocation is immediate — the app using that password will fail to authenticate on its next attempt.

The revocation page lists every active app password by the name you gave it at creation, along with the approximate creation date. If you labelled them clearly, this page is easy to audit. If every entry says “Mail,” you cannot tell which app uses which password without trial and error.

What happens after revocation:

The app or script that held the password will receive an authentication failure on its next connection attempt. In Thunderbird, this surfaces as a password prompt. In a Python script, it raises a smtplib.SMTPAuthenticationError. The fix is to generate a fresh app password and update the app’s configuration.

Bulk revocation:

There is no single-click “revoke all” button on the app passwords page. The fastest mass revocation is to change your Google account password — this immediately invalidates every app password for your account. All apps using app passwords will need to be reconfigured with new ones. Use this nuclear option only when you suspect an account compromise or are doing a full security reset.

Troubleshooting: app password not working

The most common reasons an app password fails: the code was copied with spaces (paste the 16 raw characters, no spaces), 2-Step Verification was disabled after the password was generated (app passwords are deleted when 2SV is turned off), or the Google password was changed (all app passwords are automatically revoked at password change).

Work through this checklist before generating a new app password:

1. Spaces in the code Google displays the 16-character code as abcd efgh ijkl mnop. Some password fields accept this format; others reject the spaces. When in doubt, enter the 16 characters without spaces: abcdefghijklmnop. Test both.

2. 2-Step Verification was turned off If 2SV is disabled on the account — even briefly — all app passwords are deleted. Re-enabling 2SV does not restore them. Generate new app passwords after re-enabling 2SV.

3. Google password was recently changed Changing your Google account password automatically revokes all app passwords. This is documented on Google’s support page. Generate a fresh app password after any password change.

4. Wrong account If you manage multiple Google accounts, confirm the app password belongs to the same account the app is trying to authenticate. App passwords are account-specific.

5. App is using the wrong authentication type Some email clients have a setting for authentication method: Normal password, OAuth2, Kerberos, etc. For app passwords, select Normal password (or equivalent). Selecting OAuth2 when using an app password will fail.

6. Workspace admin restriction If your account is a Google Workspace account (school, employer), the admin can restrict or disable app password creation. If the app passwords page shows an error when you are signed in, contact your Workspace administrator.

7. Advanced Protection Program Accounts enrolled in the Advanced Protection Program cannot create app passwords. This is a hard restriction by design — Advanced Protection users are expected to use only Google-approved apps.

If none of the above resolves the issue, revoke the existing password, generate a fresh one, and immediately paste it into the app before closing the dialog.

Alexis Dollé, founder of Email Tools
Alexis Dollé
Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.

LinkedIn

Frequently asked questions

What is a Gmail app password?

A Gmail app password is a 16-character code that lets an older app or device access your Google account without using your real Google password. It only works when 2-Step Verification is already turned on. Google itself says app passwords are unnecessary in most cases — modern apps use OAuth (“Sign in with Google”) instead.

Where do I create a Gmail app password?

Go to myaccount.google.com/apppasswords while signed into your Google account. 2-Step Verification must already be active. If you don’t see the app passwords page, your account either uses Google Workspace with admin restrictions, doesn’t have 2SV enabled, or is enrolled in the Advanced Protection Program.

Do I still need app passwords in 2026?

For most people: no. Modern email clients like Mailbird, Thunderbird 115+, and Outlook 2016+ all support OAuth and connect to Gmail without an app password. You still need one if you use legacy scripts, automation tools, older IMAP/SMTP software, or devices that have no way to complete an OAuth flow.

What happened to Less Secure Apps in Gmail?

Google permanently removed the “Less Secure Apps” toggle in May 2022, ending basic username/password access for third-party apps entirely. App passwords (which require 2-Step Verification) became the only non-OAuth fallback for legacy apps. Then, starting January 2025, Gmail also removed the IMAP on/off toggle — IMAP is now always on.

Are Gmail app passwords safe?

They are safer than sharing your real Google password, but weaker than OAuth. An app password bypasses 2-Step Verification for the app that holds it. If the app is compromised or the password leaks, an attacker has persistent access to your Gmail until you revoke it. Keep app passwords to a minimum — one per use case, revoke immediately when no longer needed.

What do I do if my Gmail app password stops working?

First, check that you copied the 16-character code correctly (no spaces). Then verify 2-Step Verification is still active on your account. If you recently changed your Google password, the app password was automatically revoked — generate a new one. Also confirm the app is set to use the app password, not your regular Google password.

Sources & references
  1. Google Account Help — Sign in with app passwords. Describes app passwords as “a 16-digit passcode,” confirms 2-Step Verification requirement, notes automatic revocation on password change. Accessed 2026-05-18. support.google.com/accounts/answer/185833
  2. Gmail Help — Read Gmail messages on other email clients using IMAP. Confirms Gmail “no longer supports third-party apps or devices which require you to share your Google username and password,” notes January 2025 change removing IMAP on/off toggle. Accessed 2026-05-18. support.google.com/mail/answer/7126229
  3. Email Tools — Gmail two-factor authentication setup guide. Step-by-step walkthrough for enabling 2-Step Verification, prerequisite for app password creation. email-tools.me/posts/gmail-two-factor-authentication-setup/
  4. Email Tools — Best email clients for Windows 2026. Covers OAuth-supporting clients as alternatives to app-password-dependent legacy setups. email-tools.me/posts/best-email-clients-windows-2026/

Related: Gmail two-factor authentication setup — enable 2SV, required before you can create app passwords. Best email clients for Windows 2026 — OAuth-native clients that eliminate the need for app passwords. Mailbird IMAP setup guide — OAuth-based Gmail setup in Mailbird.