Apple upped its account security for Apple IDs years ago to prevent unwanted and unauthorized third-party access to all your information. Apple relies on Apple ID across all its software and services, but third-party software can only gain access to three kinds of data: email, contacts, and events.
Apple requires web-connected and native mobile or desktop software—on iOS, Android, Windows, macOS, and others—that want to use any of those three kinds of data to use a special kind of access. You create a so-called app-specific password for each piece of software to which you want to grant access.
Google and other ecosystems offer a similar approach to reduce the opportunity for exploitation. Apple lets this password be used for email, contacts, and events; some other systems require you lock it down to one of those three services, or even to a task as specific as “retrieving email.”
To create an app-specific password, follow these steps:
- Login to your Apple ID account in a web browser at appleid.apple.com. (You can only create and manage these passwords at the website.)
- In the Security section, click Generate Password.
- Enter a label to remind you on why you created the password and click Create.
- The site creates a password that you can write down or select and copy. Click Done.
- In the third-party software you’re using, enter your Apple ID email address and this password. No additional steps are required.
You can create up to 25 app-specific passwords. While Apple recommends you create one for each service or site, you can re-use them.
The utility of app-specific passwords is that you can revoke them without resetting your account.
- Log in at the Apple ID site.
- Click Edit to the right of the Security label.
- To the right of the app-specific password generation link, click View History.
- The site displays a list of passwords with labels and when they were created. Click the x to the right of the listing and then click Revoke to remove it. You can also click Revoke All to deny access to all third-party apps if you believe something was compromised.
Treat these app-specific passwords with the same kind of care as you would your main iCloud password. Someone who gains access to your email can often use that as a scaffolding to access other parts of your life, such as sending password reset requests to the iCloud email address for other services, receiving second-factor login codes for financial institutions, or confirming transactions via email.