Will Mailbox.org implement app passwords someday?

We have a business plan from 2022 or maybe early 2023 and I also do not see this option.

Does anyone see this option at all or are the help files plain wrong?

This does not make any sense at all.

I didn't see the setting and was going to ask you where exactly with a screenshot. So I switch the language to English (I set it to German because I'm trying to learn the language, so I try to get immersed more) and..... there it is! Now I see the setting as well! (Edit: it's also present in the German translation, the page reload is what must have done it.)

More precisely, it's under Settings -> Security (not account security) -> Application Passwords. This link should also work I think:

https://office.mailbox.org/appsuite/#!!&app=io.ox/settings&folder=virtual/settings/appPasswords&storeLocale=true

Thanks for the hint Maximus :)

I can confirm that it has also appeared on my end as well under the security tab.

Great news!

It seems that for now only WebDAV, CalDAV/CardDAV are supported. But IMAP/POP3 are still missing.

I hope this will come soon.

A pity that there doesn't seem to be any communication about this feature from the staff in this forum.

Useless as long as imap / smtp is not supported :-(

I've tried using it with DAVx⁵ and it doesn't appear to work yet, I'm getting permission errors. I suggest staying hands-off until an official announcement is made.

Hi,

and thank you all for your comments and your input, we really appreciate it. We always try to listen to our customers and of course we try to accomodate the feature requests that reach us. In the case of app passwords we have started a silent launch, because we do not yet support IMAP/SMTP, as you noticed. We are still working on it and we hope that we will be able to release that feature soon.

Have a nice weekend and happy holidays!

Your mailbox.org team

Nice. Really looking forward to IMAP/SMTP integration.

You need beta testers for this feature?

I'm happy to beta test as well :)

Having an early access program would be wonderful!

Terrific! A separate app password for XMPP would be really great.

So far CalDAV app password seems to be working well, cannot wait for future developments on this feature!

@mailbox.org Team: Is there any update concerning release of the feature for IMAP/SMTP?

hi team ... any news on this topic (IMAP/SMTP app PW) ? Any roadmap?

Looks like 'soon' can take another several months or years...

I appreciate the team working on this feature, but I have an application password security question I haven't received a clear answer on. Maybe someone here in the forum can help?

1. Does every Mailbox.org user have a unique application password user name (ie 1234567@1234567) or do all users have the same application user name (with only a different password)?
2. If all users have the SAME application user name, how is using an assigned shorter application password more secure than the traditional login method (seeing as how the default auto-generated application password is short and more easily brute forced than a longer, complex one created by the user)? Wouldn't application passwords be an easier attack vector, especially since there is no 2FA? Or maybe I'm missing something?
   

Even with Mailbox tasks, calendar, and contacts being unencrypted by default (a purposeful privacy and security liability in favor of greater usability), I'm struggling to understand what security benefits application passwords bring users in light of my above questions. I'm not an expert and asking honestly, so anyone with insight on this, please chime in. How is this better than the current login system (besides providing login time and IP info)?

Hi, from my perspective the biggest security improvement with application passwords is: that if an attacker gets this password he has only access to your mails.

When he currently gets your credentials he has access to your whole account, not just the mails.

Also, from other mail providers that I use/d, you create an app password with the application's name or any name you want. It'll populate the password for you to use; once you dismiss that screen, you cannot pull up the app password anymore. It is also easy to revoke app passwords if you believe that one of your apps using the password got compromised. Or if your laptop got stolen, you can just go in and revoke all app passwords used on that laptop.

As the latest answer from mailbox.org Team is nearly half a year old - is there any update with app passwords? Are you still working on it? Will it come in 2024, or is this something planned for 2025?

Would be great to see this implemented, is there any update? Thanks!

Hello,

I just wanted to leave a small feedback.

I'm currently looking to change of email provider (I have my own domain) and mailbox.org seemed to be a really good candidate. So I started transferring everything but when transferring emails I realized that there is no app password for the imap access. It is way too dangerous to use imap without an app password on a smartphone. Someone who steal the phone will have access to EVERYTHING.

If we have an ETA for when this feature will come out I would be happy to already do the switch to mailbox.org now

Kind regards

@Cecilia:

App Passwords are already implemented. Just go to Settings > Security > Application Passwords and follow on-screen prompts.

Limited support currently for only certain features:

CalDEV/CardDEV

WebDEV

Drive Sync

I'm considering switching away from Mailbox.org because of the subpar support for app passwords and 2FA. Despite what is claimed at this link (https://office.mailbox.org/appsuite/help/l10n/en_GB/ox.appsuite.user.sect.security.apppasswords.html), I can only make app passwords for the three types of apps mentioned in the above reply. Since I rely on getting email to my smartphone, this means that I can't restrict normal password logins to just the web client when enabling 2FA, making the security gains from enabling it pretty minimal. Added to the poor UX for 2FA (using a dedicated 2FA "pin" plus the OTP in the password field instead of using my normal password and entering the OTP on a second screen like every other web service I use), this service makes modern security standards unnecessarily difficult to achieve.

Hi Sam,

thank you for your post. We are currently working on implementing different app passwords, but this can take a while because of the complexity of our system. The link you posted leads to the FAQ of OpenXchange, the vendor of the software we are using for the webmailer, not our own, so in some cases the FAQs can differ. But we are working hard on releasing app passwords for all apps.

With kind regards

your mailbox.org team

I have the same inclination. It is really a pity as I wanted to support a German / European provider. However lagging behind the bigger providers like MS or Google on such very basic security measures gets more and more incomprehensible.

I'm quite disappointed too, what are the alternatives if you want ot avoid M$ and Google and want something similar to mailbox.org?

yes, please share!

I was looking at ProtonMail and found it much more convincing regarding security features. Still hoping for mailbox to catch up at some point.

I just looked up tuta and they only support their own app (no IMAP/POP) and they don't support application password.

Mailfence has very nice security settings (app passwords for IMAP/POP3/Exchange, 2FA), the spam filter is just rubbish tho (way too many false positives).

The service StartMail seems to have device specific IMAP passwords. See here.

Moved over to Protonmail, development is very slow with Mailbox and is unacceptable considering that they try to market their service as Privacy conscious.

I switched to Proton a long time ago. They are constantly developing and place a high value on security and privacy.

@LR I just dropped mailfence yesterday because I've had two different companies fail to deliver email to them in the last two weeks (showing me the bounce reports), yet nothing shows on their status page.

I started testing StartMail and it works well. I still prefer using IMAP/SMTP on any device. Protonmail only has local IMAP support on desktop and on mobile one needs their app. Bad if one also has other mail accounts from other providers.

See my recent PSA post in the user forum for info on the beta program now allowing email app passwords.