What Is an App Password, and How Do You Create One?
Put every mailbox on one board and let AI categorize and de-spam each message.
An app password is a single-use, 16-character code that lets an app or device sign in to your email account when that account has two-step verification turned on. It exists because older apps and mail protocols cannot complete a two-step login prompt, so instead of your real password plus a code, you hand the app one long password that stands in for both. Each one is tied to a single app, you can revoke it any time without changing your main password, and it never gives up your account's second factor. Here is what it does, when you need one, and the exact steps for Gmail, iCloud, and Outlook.
Why do I need an app password?
You need one when two things are both true: your account has two-step verification enabled, and you are connecting it to something that logs in with a plain username and password rather than a modern sign-in window. That covers a lot of mail setups, an IMAP connection in a desktop client, an older phone's mail app, a printer that emails scans, or any tool that connects to your mailbox directly. Without the app password, the login fails, because the app has no way to answer the "enter the code we texted you" step. The app password is the workaround the providers built for exactly that gap.
The important thing to understand is that an app password is not a security downgrade if you use it correctly. It does not turn off two-step verification, it does not replace your account password, and it only works for the one app you made it for. If that app is ever compromised, you revoke that single code and everything else stays locked.
Do I need two-step verification to make an app password?
Yes, and this trips people up. On Google, Apple, and Microsoft accounts, the app-password option does not even appear until two-step (or two-factor) verification is switched on. That is by design: an app password is meant to be the narrow exception for apps that cannot do the two-step dance, so the feature only unlocks once the account is protected by two-step in the first place. If you go looking for the setting and cannot find it, the reason is almost always that two-step verification is still off.
How do I create an app password for Gmail?
Turn on 2-Step Verification first, under your Google Account, then Security. Once it is on, go to myaccount.google.com and open the App passwords page (you can search "App passwords" in your account settings, or go straight to the App passwords screen under Security). Type a name you will recognize, like "Mail on laptop," and Google generates a 16-character password. Copy it, paste it into the mail app in place of your normal password, and you are done. You will not see it again, so if you lose it, you delete that entry and make a new one.
How do I create an app-specific password for iCloud?
Apple calls it an app-specific password, and it lives at appleid.apple.com. Sign in, open the Sign-In and Security section, and choose App-Specific Passwords. You will only see the option if two-factor authentication is on for your Apple ID, which it is for almost everyone now. Click to generate one, give it a label, and Apple shows you a password. Use it wherever you would normally enter your Apple ID password to connect iCloud Mail over IMAP. You can keep up to a set number of active app-specific passwords and revoke any of them from the same screen.
How do I create an app password for Outlook?
For a personal Outlook.com or Microsoft account, turn on two-step verification at account.microsoft.com under Security, then open the advanced security options, where you will find the App passwords section. Create one, and use it in place of your password for any app that cannot handle the modern sign-in prompt. One caveat that catches business users: many work or school Microsoft 365 accounts have app passwords disabled by the administrator in favor of modern authentication, so if the option is missing on a company account, that is why, and you will need to connect through the standard sign-in window instead.
Is it safe to give an app my app password?
It is as safe as the app you give it to, which is exactly why the design is smart. Because the password is scoped to one app and revocable on its own, a good mail tool that asks for one is not asking you to lower your defenses. What matters is how that app handles the connection: whether it signs in over an encrypted IMAP connection, whether it stores your mail responsibly, and whether you can disconnect in one click. Those handling details are the real question, and they are worth checking before you paste any credential. The longer version of that judgment is in our guide on whether it is safe to give an app access to your email.
Are app passwords going away?
Not for the mainstream mail setup, though the landscape around them is shifting. Google is retiring its older POP-based "check mail from other accounts" feature and Gmailify, with those features closing to new users after early 2026 and existing users supported into January 2027, but IMAP is explicitly unaffected and stays fully supported. Microsoft has been pushing work accounts toward modern authentication and away from app passwords, which is why company accounts often have them turned off. For personal Gmail, iCloud, and Outlook.com accounts connecting over IMAP, app passwords remain the standard way in as of mid-2026. If you are wiring up an app that sends on your behalf rather than just reading, for example a tool that runs personalized outreach from your own mailbox, the same app-password mechanism is usually what authorizes the connection.
Where does this fit if I run several accounts?
If you are creating app passwords, you are probably connecting a mailbox to something, and often more than one mailbox. A unified inbox is the common reason: to put Gmail, Outlook, iCloud, and custom-domain mail on one board, each account connects over IMAP, and accounts with two-step verification use an app password to do it. Inboxes works this way, connecting each mailbox securely and then letting AI sort every message, and if you are setting several accounts up at once, the walkthrough for an email client for multiple accounts covers the connection step by step.
The takeaway: an app password is a one-off, revocable code that lets an app sign in to an account protected by two-step verification. Turn on two-step, generate the app password from your Google, Apple, or Microsoft security settings, paste it into the app once, and revoke it from the same screen if you ever stop using that app.