Google’s Application Passwords: Credential Corralling

Keeping your single-serving passwords under control.

If you have a Google Apps account, or even a regular Gmail account that you use for email and watching the colorful tumbleweeds on Google+, you should activate their two-factor authentication service.

Google calls this 2-step verification and other folks in the industry usually call it two-factor authentication or multi-factor authentication (MFA) 1.

When you setup multi-factor authentication like this, it works great for applications and services on the web. But what happens when you want to use a mobile device or desktop email client to access your Google account in something other than a browser? Not all applications support an additional authentication method or can even prompt you for a one-time code. Do you use iMessage, Beejive or Verbs for instant messaging? Do you need to configure your CalDAV account for your calendar software? Google allows you to create an application-specific password so that you can let that application or service communicate with Google and login using a strong password designed to allow access to your account without trusting them with your account password and bypassing the requirement for 2-step verification.

This has a couple of benefits, namely that should your account be compromised in this way you’ll have a pretty good idea of how the intruder gained access. Google makes some recommendation for naming these application-specific passwords, but I have to say that using their recommendations may make it harder to dig it up later if you’re anything like me and regularly replace/re-image or rebuild devices and systems.

Because I’m smart, I use 1Password for OS X and iOS so that my passwords, software licenses and account details are safely stored2. When I create an application password at Google I always store it in 1Password so that I can recall it later if I need to put the password in again. You can very easily end up with a mile-long list of passwords if you’re not careful, so in general I recommend the following practice:

How to 2-step like a champion

Names

Name your application-specific passwords by device name or application name, followed by a forward slash ‘/’ and the account that it’s associated with. You’ll thank me later.

$device/$account@domain

What your Application-Specific Passwords List Might Look Like
What your Application-Specific Passwords List Might Look Like

Here in this list you’ll see a list of ‘$computer’ or ‘$device’ names, and one example of a ‘$service’ account: ‘altomail/’, for the beta of AOL’s new webmail client, which can access my Gmail account using the username and that single-serving password.

Device or Computer sounds unsafe. Why do that?

It’s certainly better to have different passwords for every application that needs to access your account, but not always necessary. I’d suggest using a similar strategy for naming them; $app/$device/$account. The drawback to this is that it’s disproportionately a hassle and it’s more effort to revoke them later when you really need to because you have a higher chance of nuking the wrong one, or missing one. Having a consistant naming convention helps a great deal with this, so it’s really up to you to weigh the benefits and level of effort.

Why would you want to revoke them?

Well, because if your iPhone, iPad, or iPod is stolen, it’s easy to revoke the access that device has to your accounts by nuking it with Google and bam, the person that has my device can’t impersonate me or rifle through my online accounts using that password. I always have device-level encryption on my devices, and I can just wipe the device remotely (and I will) but if they can’t use the device, it may not ever get on a network, and therefore it may not ever get my remote wipe command. At that point, I’m concerned about an offline attack to recover data, so I need to make sure those details aren’t useful anymore and I don’t want to have to re-key every single application and device I own unless I have to. You don’t either.

One big benefit to individually authorizing and provisioning using the $application/$device method is that it somewhat isolates other services and devices when one set of credentials is compromised. Given that many apps and services for mobile devices utilize push notifications and maintain persistant connections to do so, it’s often to your advantage to create a dedicated password for those services3

What about 1Password then?

When I set up my Gmail account, Google+, Verbs, Google Voice, Reeder and a bunch of other apps on my iPhone, I can just use the same application-specific ($device) password on all of those apps: the one marked ‘annyong/’. Since I use a clever naming convention on my two-step it’s wicked easy to search and recover that password every time I need it. I can then Copy-Paste it from 1Password into the other app. I can search for my device or computer name, and it comes right up.

Obviously any trusted password manager you use will work for this, but 1Password is the best-in-class so that’s the one I use. It’s mine; I’m a fancy boy.

Don’t make it too hard

There are many people that don’t bother with two-step auth on their Google account because it’s too much hassle, or tedious to get these application passwords set up. This method I’ve outlined should make two-step authentication tolerable and still give you enough protection and isolation that if a device is missing/lost/stolen or your computer needs to get re-imaged or replaced, it’s a lot easier to get back up and running without having to replace a dozen passwords every time.


  1. I previously wrote a little bit about the technology Google uses for this when writing about Dropbox’s two-factor option. If you are using iOS and Authy it’s easy to add your Google Account(s) to Authy in addition to your Dropbox account and any other service you subscribe to that allows you use a TOTP token. If you use Duo Security which lets you do sweet multi-factor access via push notifications, SMS, and voice calls, you can also add TOTP tokens for Google, Dropbox, and other services! 

  2. 1Password also makes it trivial to export a list of items tagged ‘household’ for your partner to import into their 1Password database, which is a real sanity saver. 

  3. In particular IM+ and Beejive messengers maintain lengthy connections to IM servers on your behalf so that they can send notifications to your device without requiring the app to be running. 

Enable two factor on Dropbox

If you are a user of Dropbox, you should enable two-factor authentication on your account. Dropbox joins Amazon, Google, and LastPass as service providers offering strong authentication for account access

Dropbox opted for TOTP, which is the Time-based One-time Password Algorithm. For end users, this means you can use Google Authenticator or other apps that support that; Personally I use Authy for iOS as my weapon of choice in managing my software tokens.1

I can understand why Dropbox decided to go with TOTP but would have preferred they went with Duo Security instead, even if it was just for paid customers. Duo is much more convenient! But the bottom line is that at least they offer multi-factor authentication at all for a service that stores important data for millions of users.


  1. Edit 2013-02-18: Duo Security now allows you to add TOTP tokens in their mobile app. This means that you can use the fantastic multi-factor authentication via the Duo service and also store your tokens for services like Google Apps, Dropbox, and others in one place. There are advantages to using Authy too, and I’ll write more about that another time.