App passwords

Every third-party program or app needs its own app password to access your information. For the Fastmail app, you need to use your normal password. If you use your normal password or your Fastmail two-step verification password on an external account, syncing to an external service won't work and you will see a password error.

Users on a Basic plan will not be able to use Fastmail on third-party mail clients, or create app passwords. IMAP, SMTP, CalDAV, and CardDAV are available to Standard and Professional users only. If you have a Basic plan, you can use Fastmail on a desktop web browser or the Fastmail app on mobile devices, such as a phone or tablet.

Adding a new third-party app

If want to use your Fastmail account with any non-Fastmail service such as your mail client or desktop calendar, then you will need to create an app password specific to that service.

To generate an app password:

  1. Open the Settings → Password & Security screen. Find the Third-party apps section and click Manage.
  2. Enter your password and click Unlock, then click New App Password.
  3. Select a name to identify this app password. Some options are provided; if you prefer, you can enter your own descriptive name by selecting Custom.
  4. Choose what data your app has access to. The default setting Mail, Contacts & Calendars gives access to your mail (IMAP/POP/SMTP), contacts (CardDAV), and calendars (CalDAV). For any app that needs access to Fastmail Files storage, please select Files (FTP/WebDAV).
  5. Click Generate Password.

The next page will display your new app password. Copy and paste the password into the password section of your email client. You will only need to use your app password once, so you don't need to memorize it. Please make sure your account is working in the third-party app before you click the Done button in your Fastmail settings.

It is safe to save the app password in your client. You can always remove a password, and creating new app passwords is quick and easy.

Apple auto-configuration profiles

If your app password is for an Apple device running iOS 11+, you can use the QR code to automatically set up your email on your mobile device.

For Mac desktops and laptops, please use the configuration file link to automatically configure your computer.

You can find more information on Apple auto-configuration here.

Reviewing access details

You can review an app password's access details at any time, which include the following:

  • What the app password has access to
  • The date and time access was first given
  • The date, time, IP address, and approximate location of most recent access

To review an app password's access details:

  1. Open the Settings → Password & Security screen. Find the Third-party apps section and click Manage.
  2. Enter your password and click Unlock.
  3. Find your device in the App Passwords list and click Review Access

Note: App passwords cannot be displayed or edited from this screen.

Removing access

Have you lost a device? Are you switching apps or leaving a service? Removing an app password is a quick and easy way to pause or permanently stop a device or service from accessing your Fastmail account.

To temporarily disable or permanently remove an app password:

  1. Open the Settings → Password & Security screen. Find the Third-party apps section and click Manage.
  2. Enter your password and click Unlock.
  3. Find your device in the App Passwords list and click the checkbox to the left.
  4. To temporarily disable access, click the grey Disable button at the top. Alternately, you can click the red Remove access button to permanently remove it. Note that once access is removed it cannot be undone.

How does an app password keep my account secure?

Third-party apps will save your password because they constantly need to access your account to keep a current sync. However, they do not support two-step verification. This makes them more at risk for malware attempting to steal your password. To help combat this risk, we require you to use app passwords.

App passwords are unique and secure passwords we generate for each app you use. If your device is lost or stolen you can remove access without having to change your password everywhere else.

A restricted app password allows access to only the data your app needs. You can limit access to just email, or just calendar data, or just contact data. Even if an app password is stolen, it cannot be used to change your settings or the password on your account.

Why don't I need an app password for the Fastmail app?

Your app passwords cannot be used to log in on the web or the Fastmail mobile app.

Unlike a mail client, our mobile app does not need to save your password. After you successfully log in, the server sends our app a login token which it uses to authenticate you from then on. This gives you all the same benefits of an app password without needing to generate it in advance.

Our app also supports two-step verification, which is the best way of keeping your account secure. With two-step verification enabled, even keylogging malware would not be enough to gain access to your account.

If you lose your phone, you can remotely log out of the app using the Password & Security → Logged In Sessions screen. After unlocking the screen with your password, click Log out to end any active sessions.

Why are app passwords 16 characters long? Do spaces and capitalization matter?

The format of the app password needs to fulfill two requirements:

  • It needs to be secure against someone trying to guess it.
  • It needs to be as easy as possible to type/copy into the app, while still being secure.

App passwords for Fastmail are 16 characters long. Each character is a random letter or number (excluding 0, 1, O or I, because these are easily confused when copying), which leaves 32 possibilities for each character.

With 16 characters there are 1,208,925,819,614,629,174,706,176 different possible app password combinations. That's 80 bits of entropy. This level of security is considered extremely difficult to brute force guess, and it's completely impossible against our online service where we of course have rate limits.

Spaces and case-insensitive do not really matter from a security standpoint, but they do make your app passwords easier to type!

Was this article helpful?
62 out of 102 found this helpful