macOS: Creating an App-Specific Password for iCloud

Learn how to generate an app-specific password

With the threat from a group of hackers to wipe out thousands of iCloud accounts, securing those accounts has become even more important. We have urged users change their iCloud passwords. We also explained how you can turn on two-factor authentication (2FA), one of the most secure things you can do on any account. Once you enable 2FA, though, you might notice certain third-party apps asking for an App-Specific Password. Let’s walk through the process of getting one.

Learn how to generate an app-specific password for apps that access your iCloud account data if you're using two-factor authentication
Once you enable two-factor authentication, you might need to know how to generate an app-specific password (Image Credit: JanBaby)

When Do I Need an App-Specific Password?

Third-party macOS apps that require access to your iCloud account will likely need app-specific passwords. BusyCal, Fantastical 2, Airmail 3, and Newton Mail all require app-specific passwords to connect to iCloud accounts. Those are just a few examples. Any third-party app that doesn’t natively support two-step verification or two-factor authentication will need an app-specific password to connect to any of your iCloud services.

Setting Up an App-Specific Password

To establish an app-specific password, you’ll need to log into your Apple ID account page, preferably from Safari. Once signed in, look towards the bottom right of the page, in the Security section, for an option called App-Specific Passwords. Click Generate Password to get started.

The Apple account home page, with an option to generate an app-specific password for apps that access data through your iCloud account
To begin creating an app-specific password, log into your Apple ID account page and click on Generate Password

The web page will tell you what app-specific passwords are for, and allow you to enter a password label. Input whatever you want here, but my standard practice is to type in the name of the app the password is for.

App-specific password generator asking for a password label
When you create an app-specific password, you need to give it a label – the app name, for example

Next, Apple’s web page will provide you with an app-specific password. Highlight the entire password and copy it, either by pressing Command-C or right-clicking the highlighted password and choosing Copy.

The app-specific password for you to copy so you can use it to access iCloud data from an app after you've enabled two-factor authentication for your iCloud account
Next, you’ll be given your app-specific password to copy

Now, return to the app needing the app-specific password. In the password field for your account information, paste the password you copied before. You can paste either by pressing Command-V or right-clicking inside the field and choosing Paste.

Pasting an app-specific password into the credentials for Airmail 3 so the app can access your iCloud email after two-factor authentication is enabled
Paste the app-specific password into the appropriate field in your app

A Limited Number of App-Specific Passwords

Apple allows you to maintain up to 25 app-specific passwords. In the unlikely event that you run out, you can review which apps you have credentials for and revoke those you aren’t using. To do this, go back to your Apple ID account page. To the right of the Security section, click Edit.

The Security menu of the Apple account home page allows you to manage your app-specific passwords and delete ones you no longer need
Manage your app-specific passwords from the Security menu of your Apple ID account page

On the next page, you’ll see another section labeled App-Specific Passwords, with an option to generate a new one. To the right of that option, find the link View History, and click it.

The Security menu, where you can view the app-specific passwords you've generated for apps accessing your iCloud account after two-factor authentication is enabled
Click View History to see a list of your app-specific passwords

A pop-up menu listing all of your active app-specific passwords will appear. If you see one that you no longer use, you can revoke it by clicking the ‘X’ next to it.

Choose an app-specific password to revoke by clicking the X button next to an app's name
Choose an app-specific password you’d like to revoke

Finally, Apple will ask you to confirm that you want to revoke the app-specific password. Click Revoke, and you’ll go back to the list of app-specific passwords. You can click Done and then close the browser window.

Confirming you want to revoke the app-specific password means that app can't access your two-factor authentication protected iCloud data any more
Confirm that you want to revoke the app-specific password

Safeguard Your App-Specific Passwords

Apple doesn’t provide you with any way to recover your app-specific passwords, so it’s a good idea to use a password manager to store them. Alternatively, when you forget one, you can simply revoke it and issue a new one.

3 thoughts on “macOS: Creating an App-Specific Password for iCloud

  • vpndev – I believe that invalidating app specific passwords when the primary password is changed is the right way to do it. In the same manner that all login tokens are invalidated. ie. after a password change every connection must be specifically re-authenticated.
    Some other services, like Dropbox I think, allow you to change the password and not affect existing connections which takes us to the security versus convenience balancing act.

  • Gripe: if you change your iCloud password, as you’re often prompted to do, that invalidates all your app-specific passwords.

    So you need to go around and do those all over again.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.