Google’s New Gmail App Password Rules Start Today—3 Things To Check

Update, Sept. 30, 2024: This story, originally published Sept. 29, now includes new details of password security weaknesses.

Millions of Gmail users will face new password rules designed to make using the world’s most popular free email service more secure on Monday, Sept. 30, as they head to work. Google will no longer support access to Gmail account data from apps deemed less secure, from a third party or even from devices that are only login-protected by a username and password. Here’s what you need to know.

Goodbye Google Sync And Farewell Less Secure Apps Support For Gmail Users

If news that Google is undertaking a massive shake-up of password security across the board is a surprise, you haven’t been paying attention. From the introduction of passkeys to Chrome web browser users across Windows, macOS, Linux and Android users, to post-quantum cryptography for attack prevention, Google has been hot on security all month. Regarding this specific Gmail password security update, Google has been hot-to-trot for 12 months since giving notice a year ago. To do away with the antiquated sign-in method that is username and password, and so reduce the risk of compromise for Gmail users, Google is requiring all Google Workspace customers to login with a more secure type of access for apps wanting access to Gmail data. That access methodology is OAuth, which you can learn more about in this article warning about the forthcoming changes. The new Gmail app access password rules apply to all Google Workspace accounts, with CalDAV, CardDAV, IMAP, POP and Google Sync no longer supporting a password-based login credential.

ForbesGmail Adds Security Verification For iPhone, Android UsersBy Davey Winder

Which Gmail Users Are Impacted By The New App Password Deadline?

The new security rules regarding access to Gmail data from less secure apps apply to all customers using the Google Workspace suite of tools. Indeed, the less secure apps setting has already been removed from the Google Workspace admin console to make the transition easier by disabling the addition of new accounts using this method. Personal Gmail account holders are not impacted, although they will no longer be able to toggle the Internet Mail Access Protocol, better known as IMAP, from Gmail account settings as Google said: “IMAP access is always enabled over OAuth and your current connections will not be impacted.” Regarding users, rather than admins, of Google Workspace Gmail accounts, however, there are three specific actions that Google recommends you take so as to ensure you are not faced with a “username and password is incorrect” error message as the new rules come into effect today.

1. If you use Outlook 2016 or before, you must move to Microsoft 365 or Outlook for Windows or Mac.
2. If you use Thunderbird, or another email client, you must add your Google account again and configure it to use IMAP with OAuth.
3. If you use Mail on iOS or macOS, you must use the sign-in with Google option to enable OAuth. This will involve removing and then re-adding your account.

ForbesGoogle Announces New Gmail Security Move For MillionsBy Davey Winder

Yubico Research Reveals Worrying Lack Of Password Insecurity Awareness

Newly published research from hardware security key vendor Yubico has shone a spotlight on just why Google’s decision to take drastic action to reduce the access of less secure apps to Gmail accounts is not only warranted but necessary. The Global State of Authentication survey questioned 20,000 people from around the world, including the U.S. and U.K. to get a handle on the risk perception ordinary users have.

Unsurprisingly, more than half (58% personal, 54% work) said they use username and password combinations to log into their accounts. Equally of no great surprise is that 39% think this is the most secure method of account authorization, and 37% thought the same of using SMS-based two-factor authentication. Staggeringly, 40% also said they didn’t think the apps and services they use were doing enough to protect them and their data. Yet, nearly a quarter (22%) had never done any kind of personal cybersecurity audit to see if they themselves could be doing more.

ForbesGmail Says It Will Permanently Delete These Emails In 30 DaysBy Davey Winder

“With most cyber attacks being a result of stolen login credentials, it’s concerning that so many people still rely on this outdated authentication method, and it’s clear change is not just needed,” Derek Hanson, vice president of standards and alliances at Yubico, said, “it’s paramount to the future of a world that centers around the internet and living online.” The good news, Hanson concluded, is that there is “impactful work being done on the federal level such as NIST revising their identity guidelines in the U.S. that will influence expanding definitions of what security solutions are acceptable.” I hope that Google’s efforts will also add weight to this global influence.