App passwords

Every third-party program or app needs its own app password to access your information. For the Fastmail app, you need to use your normal password. If you use your normal password or your Fastmail two-step verification password on an external account, syncing to an external service won't work and you will see a password error.

Users on a Basic plan will not be able to use Fastmail on third-party mail clients or create app passwords, as Basic plans do not include access to IMAP, SMTP, CalDAV, or CardDAV. If you are on a Basic plan, you can use Fastmail on a desktop web browser or the Fastmail app on mobile devices, such as a phone or tablet.

Adding a new third-party app

If want to use your Fastmail account with any non-Fastmail service such as your mail client or desktop calendar, then you will need to create an app password specific to that service.

To generate an app password:

  1. Log in to the Fastmail web interface and go to the Settings → Privacy & Security screen. Click on the Integrations tab at the top of the screen.
  2. Click New App Password.
    1. A Verify it's you box will appear. Enter your password and click Continue. (For more information, see our Password-protected actions help page.) 
  3. Select a name to identify this app password. Some options are provided; if you prefer, you can enter your own descriptive name by selecting Custom.
  4. Choose what data your app has access to. The default setting Mail, Contacts & Calendars gives access to your mail (IMAP/POP/SMTP), contacts (CardDAV), and calendars (CalDAV). For any app that needs access to Fastmail Files storage, please select Files (WebDAV).
  5. Click Generate Password.

The next page will display your new app password. Copy and paste the password into the password section of your email client. You will only need to use your app password once, so you don't need to memorize it. Please make sure your account is working in the third-party app before you click the Done button in your Fastmail settings.

It is safe to save the app password in your client. You can always remove a password, and creating new app passwords is quick and easy.

Apple auto-configuration profiles

If your app password is for an Apple device running iOS 11+, you can use the QR code to automatically set up your email on your mobile device. Please note that the link provided via the QR code can only be opened via the Safari browser. Through Safari, you should then be able to download the auto-configuration file to your device.

You can find more information on Apple auto-configuration for iOS devices here.

For Mac desktops and laptops, please use the configuration file link to automatically configure your computer.

You can find more information on Apple auto-configuration for Mac desktops and laptops here.

Reviewing access details

You can review an app password's access details at any time, which include the following:

  • What the app password has access to
  • The date and time access was first given
  • The date, time, IP address, and approximate location of most recent access

To review an app password's access details:

  1. Open the Settings → Privacy & Security screen and select the Integrations tab. 
  2. Find the app password and click Review access

Note: App passwords cannot be displayed or edited from this screen.

Removing access

Have you lost a device? Are you switching apps or leaving a service? Removing an app password is a quick and easy way to pause or permanently stop a device or service from accessing your Fastmail account.

To temporarily disable or permanently remove an app password:

  1. Open the Settings → Privacy & Security screen and select the Integrations tab.
  2. Find the app password and click the checkbox to the left of the app password.
  3. Three buttons will appear at the top of the list: Disable, Enable, and Remove. To temporarily disable access to the app password, click Disable. To permanently remove access, click Remove. Note that once access is removed it cannot be undone.
  4. A Verify it's you box will appear. Enter your password and click Continue. (For more information, see our Password-protected actions help page.)
  5. After confirming your password and clicking Continue, you should see that the app password has been disabled or removed.

You can also permanently remove an app password by going to the Review access screen and clicking Remove access.

How does an app password keep my account secure?

Third-party apps will save your password because they constantly need to access your account to keep a current sync. However, they do not support two-step verification. This makes them more at risk for malware attempting to steal your password. To help combat this risk, we require you to use app passwords.

App passwords are unique and secure passwords we generate for each app you use. If your device is lost or stolen you can remove access without having to change your password everywhere else.

A restricted app password allows access to only the data your app needs. You can limit access to just email, or just calendar data, or just contact data. Even if an app password is stolen, it cannot be used to change your settings or the password on your account.

Why don't I need an app password for the Fastmail app?

Your app passwords cannot be used to log in on the web or the Fastmail mobile app.

Unlike a mail client, our mobile app does not need to save your password. After you successfully log in, the server sends our app a login token which it uses to authenticate you from then on. This gives you all the same benefits of an app password without needing to generate it in advance.

Our app also supports two-step verification, which is the best way of keeping your account secure. With two-step verification enabled, even keylogging malware would not be enough to gain access to your account.

If you lose your phone, you can remotely log out of the app.

Why are app passwords 16 characters long? Do spaces and capitalization matter?

The format of the app password needs to fulfill two requirements:

  • It needs to be secure against someone trying to guess it.
  • It needs to be as easy as possible to type/copy into the app, while still being secure.

App passwords for Fastmail are 16 characters long. Each character is a random letter or number (excluding 0, 1, O or I, because these are easily confused when copying), which leaves 32 possibilities for each character.

With 16 characters there are 1,208,925,819,614,629,174,706,176 different possible app password combinations. That's 80 bits of entropy. This level of security is considered extremely difficult to brute force guess, and it's completely impossible against our online service where we of course have rate limits.

Spaces and case-insensitive do not really matter from a security standpoint, but they do make your app passwords easier to type!

Was this article helpful?
215 out of 343 found this helpful