App passwords

Every third party program or app needs its own app password to access your information. For the Fastmail app, you need to use your normal password. If you use your normal password or your Fastmail two step verification password on an external account, syncing to an external service won't work and you will see a password error.

Adding a new third party app

If want to use your Fastmail account with any non-Fastmail service such as your mail client or desktop calendar, then you will need to create an app password specific to that service. To generate an app password:

  1. Open the Password & Security → App Passwords screen.
  2. Enter your password and click Unlock, then click New App Password.
  3. Enter a device name. We have provided some options, but you can enter your own descriptive names; for example: “Outlook on PC” or "Samsung Galaxy calendars".
  4. Choose what data your app has access to. The default setting gives access to your mail (IMAP/POP/SMTP), contacts (CardDAV/LDAP), and calendars (CalDAV). For any app that needs access to Fastmail Files storage, please select Files (FTP/WebDAV).
  5. Click Generate Password.

The next page will display your new app password. You will only need to use your app password once, so you don't need to memorize it. Copy and paste the password into the Password section when you set up your email client. Please makes sure your account is working before you click Done.

It is safe to save the app password in your client. You can always remove a password, and creating new app passwords is quick and easy.

Apple auto-configuration profiles

If your app password is for an Apple device running iOS 11+, you can use the QR code to automatically set up your email on your mobile device.

For Mac desktops and laptops, please use the configuration file link to automatically configure your computer.

You can find more information on Apple auto-configuration here.

Removing access

Have you lost a device? Are you switching apps or leaving a service? Removing an app password is a quick and easy way to stop a device or service from accessing your Fastmail account.

To remove an app password:

  1. Open the Password & Security → App Passwords screen.
  2. Enter your password to unlock the settings.
  3. Find your device in the App Passwords list and click the Remove button.

How does an app password keep my account secure?

Third party apps will save your password because they constantly need to access your account to keep a current sync. However, they do not support two-step verification. This makes them more at risk for malware attempting to steal your password. To help combat this risk, we require you to use app passwords.

App passwords are unique and secure passwords we generate for each app you use. If your device is lost or stolen you can remove access without having to change your password everywhere else.

A restricted app password allows access to only the data your app needs. You can limit access to just email, or just calendar data, or just contact data. Even if an app password is stolen, it cannot be used to change your settings or the password on your account.

Why don't I need an app password for the Fastmail app?

Your app passwords cannot be used to log in on the web or the Fastmail mobile app.

Unlike a mail client, our mobile app does not need to save your password. After you successfully log in, the server sends our app a login token which it uses to authenticate you from then on. This gives you all the same benefits of an app password without needing to generate it in advance.

Our app also supports two-step verification, which is the best way of keeping your account secure. With two-step verification enabled, even keylogging malware would not be enough to gain access to your account.

If you lose your phone, you can remotely log out of the app using the Password & Security → Logged In Sessions screen. After unlocking the screen with your password, click Log out to end any active sessions.

Why are app passwords 16 characters long? Do spaces and capitalization matter?

The format of the app password needs to fulfill two requirements:

App passwords for Fastmail are 16 characters long. Each character is a random letter or number (excluding 0, 1, O or I, because these are easily confused when copying), which leaves 32 possibilities for each character.

With 16 characters there are 1,208,925,819,614,629,174,706,176 different possible app password combinations. That's 80 bits of entropy. This level of security is considered extremely difficult to brute force guess, and it's completely impossible against our online service where we of course have rate limits.

Spaces and case-insensitive do not really matter from a security standpoint, but they do make your app passwords easier to type!