Google signing policies and k9

It’s also discussed here, OAuth2 authentication but I disabled less secure logins in my Gmail account today, activated 2FA, generated the App password, changed the password from account to app variant in K9 and everything is fine. There is no obvious reason why any changes concerning less secure logins on Google site should effect me :sunglasses:

Ok, I think I understand the steps to “fix” it, but I am trying to understand/confirm/verify that k9 mail is indeed considered less-secure and needs the fix. Google has this:

But it doesn’t tell me what apps I have that would qualify as “less secure”. That would be handy to know, Google.

my k9mail is at 5.6. Is that okay?

And does anyone else want to tell google to go away? Isn’t it between me and my apps. Why do they get to disturb my login to MY app. Are they at risk? Isn’t it my risk and my decisions? Their email feels like a big-brother intervention! What is my risk? k9mail works seamlessly (with all my many setting tweaks over many years). I hope NOTHING changes.

1 Like

From Google’s perspective, any application that uses id/pw as its method for login is considered “less secure”. Google (and MS) want apps to use OAuth.2, The interim “compromise” is that they are letting id/pw authentication apps use a use-/app-specific password that they generate. This keeps your “less secure” app from exposing your broader-access login credentials.

This applies to desk/laptop applications as well as those used on mobile devices,. So if you have a desk/laptop email client that you use for gmail you will run into the same issue with it if it doesn’t support (or you haven’t enabled to use) OAuth.2.

Thanks for the info, but I still don’t fullly get it. It’s not their call (IMO). Will I have to login to such apps more frequently than ZERO with an app-password? Will the underneath layers still have seamless (i.e. no intervention by me) access to my google data?

On the positive side on the k9mail front, I was poking around more following google’s “learn-more” links that showed up and lo and behold, I found the list of allegedly less-secure apps. If you follow Google’s Security Checkup, there is a section for third-party access. I have two apps in there and neither is K9Mail! One is called “Cloud Access” and is developed by Samsung. It has access to Gdrive and Gphotos, neither of which i use. The other one is Calengoo which is a Google calendar/task client. I did suspect that one as a potential problem.

So from this deep dive, it seems that k9mail is in the clear! At least my version of it - which granted, is old. I wonder if later versions changed security models and put a new target on their back?

1 Like

From the client perspective, an “app password” is just like your google pw. You enter it in the setup for the incoming/outgoing server configuration you have for gmail in K9. Once entered you don’t have to do anything different/special.

The security of your account (and so method of access) does matter to google/ms/yahoo, etc., so they are trying to have you use an approach (OAuth.2) that they consider more secure than a simple id/pw. As there are a lot of clients (for various services) that don’t support OAuth.2, they are allowing for the “app-password” option as an interim option. That way, these clients can still get access to your account data, but aren’t exposing your google site-wide pw. I suspect that sometime soon they will announce the sunsetting of this option. [From what I’ve seen, ms-exchange seems to be turning off app-passwords this fall, removing the currently available option for an administrator to turn it back on.]

The K9 login “security model” is the same in 5.7+ as it is in 5.6 - id/pw. K9 does not, currently, support OAuth.2, so just because it’s not listed doesn’t mean that it’s “in the clear” - it’s not. If K9 doesn’t support OAuth.2 when google phases out app-passwords K9 will no longer work witih gmail.

I looked at those and they do show my google password. I remember long ago I was forced to change my google password, and k9 choked until I fixed it there too.

So if my google password is being used to access gmail by K9, shouldn’t that be enough?

My read is that the Google announcement, quoted at the top of this item, indicates that as the end of May if your application uses your google userid and site log-in password it will be blocked. Using an app-password, instead of your google log-in password, in your app seems to allow things to contine to work (for now at least). So, if as you indicate, you are using your google log-in password in K9, you should switch to using app passwords.

Most modern services that hold your data these days offer 2FA or force it on you. It reduces their risk to a degree, and protects your data.

I bought an email account subscription and they forced me to use 2FA. Yes please!

I recently signed up with a cloud storage service and they offered 2FA. Yes please!

The Google App passwords are assigned by Google, and either 12 or 16 characters (last I checked). Such is probably more secure than the average Google user password. They may also fingerprint these and watch connections closely, warning you if your app password gets used from another continent.

I’d recommend each application having it’s own app password: K9 gets one, Thunderbird on my laptop has one, Thunderbird on my desktop has one. Etc. You have the ability to drop these app passwords and recreate them.

if you can, I’d recommend using an app password with K9 to Gmail. Once that is in place, set up 2FA/TFA. Back up the password and your QR code doubly or triply so.

Google is a prime target for hacking attempts.

I actually like to be a bit more granular:

I’d recommend each application having it’s own app password: K9 gets one,
Thunderbird on my laptop has one, Thunderbird on my desktop has one.

and use different app passwords for incoming and outgoing within each mail application. That mitigates things some should a password get exposed in some way.

That’d be neat if Google and other providers used them that way, but I don’t think they do. A Google app password picked/captured/stolen from fetching mail will work for sending mail.

Google lets you create many app passwords. From memory, I think Microsoft and Yahoo give you one app password - that’s it. My data is old and things might have changed since.

I realize that google doesn’t limit (let the user assign use limits) to specific app passwords but being granular makes it easier to figure out where the leak/exposure may have been. It also reduces the number of places where you have to change the pw once you’ve disabled it on the google side.

Since google (and other MSPs) can identify the device that the connection is coming from it would be nice if they would let the user assign the app-passwords on at least a device level and then limit their use to that device. That would make a stolen app password almost useless to the thief.

is there any updates yet, as i just got an email from GG saying that they will suspend connection from less secure app(namely K9)

You just need to set an app password for K-9 in your Google settings. Please check Google for more infos.

i did that already, as i was using 2FA as the time installing K9, i just wanna know if that is going to affect K9, namely unable to use K9 for Gmail anymore, as i quite like K9.
Anw, thanks for the fast reply.

It won’t affect K-9 - as long as you have an app password set everything will continue to work :slightly_smiling_face:

1 Like

@thiendt2001 – If you just got that missive from google it implies that some 3-party client of yours is (still) accessing google services (gmail, calendar, etc.) while using your google site-wide id/pw. If you have k-9 configured to use app-passwords then it’s likely you have some other client that needs be updated in terms of its credential usage (either to OAuth2 or an app-password).

1 Like

@njeyaakili @Nimueh thanks you all, i’m relieved now.

1 Like

I am using k9 android and windows Live mail client w10 pc to access multiple Gmail accounts. Both stopped working today. Will one app password thing work with multiple Gmail accounts. I also have a few other non-gmails linked with both the clients. Confused !

Please see How to use a Gmail/Google Workspace account with K-9 Mail?

I assume you mean your account on multiple devices? Then “Yes,” but that beats the purpose of app passwords. If one of your devices/apps gets compromised, you would be unable to selectively disable it be erasing the app password. You would need to re-setup all devices/apps.