Welcome to the mailbox.org user forum!
 

Will Mailbox.org implement app passwords someday?

5014849 shared this question 23 months ago
Answered

A lot of modern email service providers have app specific passwords that can be created and revoked at any time.

This allows people to turn on 2FA on their account, and use app passwords to log into programs such as K9 Mail, Fairmail, Thunderbird, etc.

Will Mailbox.org be implementing this in the near future?

Best Answer
photo

I didn't see the setting and was going to ask you where exactly with a screenshot. So I switch the language to English (I set it to German because I'm trying to learn the language, so I try to get immersed more) and..... there it is! Now I see the setting as well! (Edit: it's also present in the German translation, the page reload is what must have done it.)

More precisely, it's under Settings -> Security (not account security) -> Application Passwords. This link should also work I think:

https://office.mailbox.org/appsuite/#!!&app=io.ox/settings&folder=virtual/settings/appPasswords&storeLocale=true

Thanks for the hint Maximus :)

Replies (10)

photo
2

I was wondering the same! According to help section 12.6 it's possible to do this, but the actual setting seems to be missing. I'm on the old 1-euro plan so maybe that's the reason?

photo
3

We have a business plan from 2022 or maybe early 2023 and I also do not see this option.

Does anyone see this option at all or are the help files plain wrong?

photo
photo
1

Please!

photo
1

This would be a very welcome addition to the service. I hope they are considering it.

photo
1

+1 on this!

Like many, I let various 3rd party calendar apps use my CalDAV calendars. For this, I currently have to provide my full mailbox.org credentials.... this is not safe

photo
3

It is a shame, that this feature is still not available.

Mailbox is warning in its blog about the current security issue, since it was made public that the new outlook from Microsoft is copying the login credentials of imap accounts into their cloud.


Unfortunately it is not app specific, so I can’t revoke it. Now I have to change it in all my clients.

photo
1

I'd really appreciate this as I am currently using a cumbersome setup with a dummy GMail account, which has an app password (which you cannot login using), so that my VPS status emails are sent from the VPS to GMail, which forwards to my Mailbox.org account.

I'd prefer to be able to use a simple SMTP-only app password on the VPS, in case it ever gets hacked (not likely, but never say ...).

photo
2

I cannot use MS Outlook anymore with my mailbox at mailbox.org and it seems this is due to the absence of app passwords. So please provide the feature asap.

photo
2

This does not make any sense at all.

photo
photo
3

I really hope that this feature gets added soon. This is the only service that I use that I do not have 2FA turned on, because if I turn it on, I would not be able to use IMAP. This causes a lot of insecurities. App passwords and being able to revoke them at any time would help with the security.

photo
2

App password with the possibility to revoke it is a must have nowadays. Pls get it implemented very soon.

photo
2

As of today, I'm seeing this option under settings, account security, for the first time. Have not tested it out yet. Anyone else have this option?

photo
3

I didn't see the setting and was going to ask you where exactly with a screenshot. So I switch the language to English (I set it to German because I'm trying to learn the language, so I try to get immersed more) and..... there it is! Now I see the setting as well! (Edit: it's also present in the German translation, the page reload is what must have done it.)

More precisely, it's under Settings -> Security (not account security) -> Application Passwords. This link should also work I think:

https://office.mailbox.org/appsuite/#!!&app=io.ox/settings&folder=virtual/settings/appPasswords&storeLocale=true

Thanks for the hint Maximus :)

photo
2

I can confirm that it has also appeared on my end as well under the security tab.

Great news!

photo
3

It seems that for now only WebDAV, CalDAV/CardDAV are supported. But IMAP/POP3 are still missing.

I hope this will come soon.

A pity that there doesn't seem to be any communication about this feature from the staff in this forum.

photo
2

Useless as long as imap / smtp is not supported :-(

photo
1

I've tried using it with DAVx⁵ and it doesn't appear to work yet, I'm getting permission errors. I suggest staying hands-off until an official announcement is made.

photo
10

Hi,

and thank you all for your comments and your input, we really appreciate it. We always try to listen to our customers and of course we try to accomodate the feature requests that reach us. In the case of app passwords we have started a silent launch, because we do not yet support IMAP/SMTP, as you noticed. We are still working on it and we hope that we will be able to release that feature soon.

Have a nice weekend and happy holidays!

Your mailbox.org team

photo
2

Nice. Really looking forward to IMAP/SMTP integration.

You need beta testers for this feature?

photo
1

I'm happy to beta test as well :)

photo
2

Having an early access program would be wonderful!

photo
2

Terrific! A separate app password for XMPP would be really great.

photo
4

So far CalDAV app password seems to be working well, cannot wait for future developments on this feature!

photo
1

@mailbox.org Team: Is there any update concerning release of the feature for IMAP/SMTP?

photo
1

hi team ... any news on this topic (IMAP/SMTP app PW) ? Any roadmap?

photo
1

Looks like 'soon' can take another several months or years...

photo
1

I appreciate the team working on this feature, but I have an application password security question I haven't received a clear answer on. Maybe someone here in the forum can help?

  1. Does every Mailbox.org user have a unique application password user name (ie 1234567@1234567) or do all users have the same application user name (with only a different password)?
  2. If all users have the SAME application user name, how is using an assigned shorter application password more secure than the traditional login method (seeing as how the default auto-generated application password is short and more easily brute forced than a longer, complex one created by the user)? Wouldn't application passwords be an easier attack vector, especially since there is no 2FA? Or maybe I'm missing something?

Even with Mailbox tasks, calendar, and contacts being unencrypted by default (a purposeful privacy and security liability in favor of greater usability), I'm struggling to understand what security benefits application passwords bring users in light of my above questions. I'm not an expert and asking honestly, so anyone with insight on this, please chime in. How is this better than the current login system (besides providing login time and IP info)?

photo
1

Hi, from my perspective the biggest security improvement with application passwords is: that if an attacker gets this password he has only access to your mails.

When he currently gets your credentials he has access to your whole account, not just the mails.

photo
2

Also, from other mail providers that I use/d, you create an app password with the application's name or any name you want. It'll populate the password for you to use; once you dismiss that screen, you cannot pull up the app password anymore. It is also easy to revoke app passwords if you believe that one of your apps using the password got compromised. Or if your laptop got stolen, you can just go in and revoke all app passwords used on that laptop.

photo
3

As the latest answer from mailbox.org Team is nearly half a year old - is there any update with app passwords? Are you still working on it? Will it come in 2024, or is this something planned for 2025?

photo
1

Would be great to see this implemented, is there any update? Thanks!

photo
2

Hello,


I just wanted to leave a small feedback.

I'm currently looking to change of email provider (I have my own domain) and mailbox.org seemed to be a really good candidate. So I started transferring everything but when transferring emails I realized that there is no app password for the imap access. It is way too dangerous to use imap without an app password on a smartphone. Someone who steal the phone will have access to EVERYTHING.


If we have an ETA for when this feature will come out I would be happy to already do the switch to mailbox.org now

Kind regards

photo
1

@Cecilia:

App Passwords are already implemented. Just go to Settings > Security > Application Passwords and follow on-screen prompts.

photo
1

Limited support currently for only certain features:

CalDEV/CardDEV

WebDEV

Drive Sync


photo
1

I'm considering switching away from Mailbox.org because of the subpar support for app passwords and 2FA. Despite what is claimed at this link (https://office.mailbox.org/appsuite/help/l10n/en_GB/ox.appsuite.user.sect.security.apppasswords.html), I can only make app passwords for the three types of apps mentioned in the above reply. Since I rely on getting email to my smartphone, this means that I can't restrict normal password logins to just the web client when enabling 2FA, making the security gains from enabling it pretty minimal. Added to the poor UX for 2FA (using a dedicated 2FA "pin" plus the OTP in the password field instead of using my normal password and entering the OTP on a second screen like every other web service I use), this service makes modern security standards unnecessarily difficult to achieve.

photo
2

Hi Sam,

thank you for your post. We are currently working on implementing different app passwords, but this can take a while because of the complexity of our system. The link you posted leads to the FAQ of OpenXchange, the vendor of the software we are using for the webmailer, not our own, so in some cases the FAQs can differ. But we are working hard on releasing app passwords for all apps.

With kind regards

your mailbox.org team

photo
Leave a Comment
 
Attach a file