[Alpine-info] Gmail IMAP with username+password (was: Instructions to configure XOAUTH2 in Gmail have changed)

[Carlos E. R.]

On 2022-06-09 23:30, Eduardo Chappa wrote:

> On Thu, 9 Jun 2022, Robert Wolf wrote:


...


>> A few months ago, when this change has been announced, I have found in

>> the google account the possibility to generate special application

>> password. So I have tested it on one low-prio account. I had to

>> activate 2-step verification and then I could generate special

>> password for Mail. With this password and my email I was able to login

>> to IMAP using simple username+password authentication.

> 

> This is interesting. While the use of XOAUTH2 over app generated

> passwords might be a matter of personal preference, I wonder why Google

> allows these still. Do you have to generate a password for different

> machines or can you use the same password for two different machines?

> (say a user needs access from office computer and from home computer).

> If the answer is that the same password generated in one machine can be

> used to access in another machine, then I do not see much of a gain in

> security. Refresh tokens cannot be moved from one machine to another.

> Typically any attempt to move a refresh token from one machine to

> another will make the refresh token lose its effectiveness (this is a

> problem that people find when they attempt to authorize Alpine in one

> machine and do the authorization process in another). What this

> potentially means is that if someone decodes a password file that

> contains an app generated password they will gain access to that

> account, but not if they decode such password file containing a refresh

> token.


I use a different password for each application (alpine, postfix, etc),
and machine. Maybe sharing would work, but I'm not risking it.

Although in this machine I'm not using Alpine much, not fully configured
yet, postfix is working.



-- 
Cheers / Saludos,

		Carlos E. R.

  (from Elesar, using openSUSE Leap 15.3)