Apple upped its account security for Apple IDs years ago to prevent unwanted and unauthorized third-party access to all your information. Apple relies on Apple ID across all its software and services, but third-party software can only gain access to three kinds of data: email, contacts, and events.
Apple requires web-connected and native mobile or desktop software—on iOS, Android, Windows, macOS, and others—that want to use any of those three kinds of data to use a special kind of access. You create a so-called app-specific password for each piece of software to which you want to grant access.
Google and other ecosystems offer a similar approach to reduce the opportunity for exploitation. Apple lets this password be used for email, contacts, and events; some other systems require you lock it down to one of those three services, or even to a task as specific as “retrieving email.”
To create an app-specific password, follow these steps:
Login to your Apple ID account in a web browser at appleid.apple.com. (You can only create and manage these passwords at the website.)
In the Security section, click Generate Password.
Enter a label to remind you on why you created the password and click Create.
The site creates a password that you can write down or select and copy. Click Done.
In the third-party software you’re using, enter your Apple ID email address and this password. No additional steps are required.
You can create up to 25 app-specific passwords. While Apple recommends you create one for each service or site, you can re-use them.
The utility of app-specific passwords is that you can revoke them without resetting your account.
Log in at the Apple ID site.
Click Edit to the right of the Security label.
To the right of the app-specific password generation link, click View History.
The site displays a list of passwords with labels and when they were created. Click the x to the right of the listing and then click Revoke to remove it. You can also click Revoke All to deny access to all third-party apps if you believe something was compromised.
Treat these app-specific passwords with the same kind of care as you would your main iCloud password. Someone who gains access to your email can often use that as a scaffolding to access other parts of your life, such as sending password reset requests to the iCloud email address for other services, receiving second-factor login codes for financial institutions, or confirming transactions via email.
This Mac 911 article is in response to a question submitted by a Macworld reader.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.