App Passwords

Every third party program or app needs its own app password to access your information. For the Fastmail app, you need to use your normal password. If you use your normal password or your Fastmail two step verification password on an external account, syncing to an external service won't work and you will see a password error.

Adding a new 3rd party app

When you set up a new non-Fastmail client, you'll need to get a new app password.

  1. Open the Settings → Password & Security screen.
  2. Enter your password to unlock the settings.
  3. Scroll down to the App Passwords section and click New App Password.
  4. Enter a device name. We have provided some options, but you can enter your own descriptive name, such as "Desktop: Outlook" or "phone: calendar".
  5. Choose what data this app has access to. By default, it can access your mail, calendars and contacts (using IMAP/POP/SMTP/CardDAV/CalDAV). You can restrict this further if you know the app doesn't need access to all of these. You also need to change this to get a password with access to your file storage (via FTP or WebDAV).

Generate Password to see the password which needs to be entered into your app. Make sure you've got your app working before you click "Done" as you won't be shown the password again.

Save the password in your client because you can't see it again through the web interface. It is safe to save the password in your client: you can always revoke a password if you lose your device or if you need to loan it to someone else temporarily.

It's so easy to generate a new password, it doesn't take long to set your device up again.

If this password is for an iPhone, iPad or iPod Touch on iOS 11+, you can use the QR code to automatically configure your mobile device.

If this password is for a Mac, use the configuration file link to automatically configure your computer.

Revoke an app's access

Lost a device? Stopped using a particular app? To revoke a password for a particular device:

  1. Open the Settings → Password & Security screen.
  2. Enter your password to unlock the settings.
  3. Find your device in the App Passwords list and click the Remove button to revoke the password.

How does an app password keep my account secure?

Third party apps have to save your password so they can access your account every time you use them, and they don't support two-step verification. This makes them more at risk to malware stealing your password.

App passwords are unique, secure passwords we generate for each app you use. This means you can easily disable access should you lose your phone or computer, without having to change your password everywhere. The passwords provide access to just the data your app needs; you can limit their access to just email, or just calendar data, or just contact data. This means that even if the password is stolen, it can't be used to change your settings (or change your normal password).

Why don't I need an app password for the Fastmail app?

An app password cannot be used to log in on the web or the Fastmail app.

Unlike 3rd party apps, our own app does not need to save your password. After you successfully log in, the server sends our app a long random token (much like an app password!) which it then uses to authenticate you from then on. This gives you all the same benefits of an app password, without the inconvenience of having to generate it in advance.

Our app supports two-step verification, which is the best way of keeping your account secure. If you enable this, then even a key logger would not be sufficient to gain access to your account, since the second factor is different each time.

If you lose your phone, you can remotely log out the app in the Logged In Sessions section of the Settings → Password & Security screen.

Why are app passwords 16 characters long? Why don't spaces and capitals matter?

The format of the app password needs to fulfil two requirements:

App passwords from Fastmail are 16 characters long. Each character is a random letter or number (excluding 0, 1, O or I, because these are easily confused when copying). This leaves 32 possibilities for each character.

With 16 characters, this means there are 1,208,925,819,614,629,174,706,176 different possible app passwords. For information theory nerds, that's 80 bits of entropy. This is considered infeasible to brute force guess if you had a dump of our database and no limits on how fast you could try guesses other than the hardware you have available. It's completely impossible against an online service, where we of course have rate limits.

Since the way these passwords are generated is not a secret (nor does it need to be a secret), there is no change in security from us allowing spaces and case-insensitive input of the password. But it does make it much easier to type!