OT - Google accounts turning off less secure access

46 views
Skip to first unread message

David

unread,
May 23, 2022, 9:37:24 AMMay 23
to
Google has decided to turn of access to gmail accounts from 30th May.

Does anyone have a list of email clients which are considered to be secure?
Which ones do others use?
Or do you avoid Gmail accounts?

I use Thunderbird on Windows and K-9 mail on Android.

I have no desire to be forced to use webmail.

Cheers



Dave R


--
AMD FX-6300 in GA-990X-Gaming SLI-CF running Windows 7 Pro x64

--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Jeff Gaines

unread,
May 23, 2022, 10:15:11 AMMay 23
to
On 23/05/2022 in message <jf1h0f...@mid.individual.net> David wrote:

>Google has decided to turn of access to gmail accounts from 30th May.
>
>Does anyone have a list of email clients which are considered to be secure?
>Which ones do others use?
>Or do you avoid Gmail accounts?
>
>I use Thunderbird on Windows and K-9 mail on Android.
>
>I have no desire to be forced to use webmail.
>
>Cheers
>
>
>
>Dave R

I use eM Client:

https://www.emclient.com/

Which has always worked with GMail AND Exchange for
email/contacts/calendars. Whether it will after 30 May I don't know but it
does 2 stage verification for both Google & Microsoft. Free for 2 email
accounts.

--
Jeff Gaines Dorset UK
Greater love hath no man than this, that he lay down his friends for his
life.
(Jeremy Thorpe, 1962)

David

unread,
May 23, 2022, 10:18:28 AMMay 23
to
On Mon, 23 May 2022 14:15:05 +0000, Jeff Gaines wrote:

> On 23/05/2022 in message <jf1h0f...@mid.individual.net> David wrote:
>
>>Google has decided to turn of access to gmail accounts from 30th May.
>>
>>Does anyone have a list of email clients which are considered to be
>>secure?
>>Which ones do others use?
>>Or do you avoid Gmail accounts?
>>
>>I use Thunderbird on Windows and K-9 mail on Android.
>>
>>I have no desire to be forced to use webmail.
>>
>>Cheers
>>
>>
>>
>>Dave R
>
> I use eM Client:
>
> https://www.emclient.com/
>
> Which has always worked with GMail AND Exchange for
> email/contacts/calendars. Whether it will after 30 May I don't know but
> it does 2 stage verification for both Google & Microsoft. Free for 2
> email accounts.

Thanks.

Unfortunately I have significantly more than 2 email accounts and more
than one computer.

Andy Burns

unread,
May 23, 2022, 10:23:51 AMMay 23
to
On 23/05/2022 14:37, David wrote:

> Google has decided to turn of access to gmail accounts from 30th May.

The simplest solution is to use oAuth2 from thunderbird for the gmail account,
any recent thunderbird will be fine.

Failing that, you have to enable two-step verification for your google account,
and then you can create an app-specific password just for IMAP/POP access to
gmail, you can't disable 2SV after that stage, because it will delete the
app-specific passwords.

> Does anyone have a list of email clients which are considered to be secure?

None according to google.



The Other John

unread,
May 23, 2022, 10:31:15 AMMay 23
to
On Mon, 23 May 2022 13:37:19 +0000, David wrote:

> Google has decided to turn of access to gmail accounts from 30th May.
>
> Does anyone have a list of email clients which are considered to be
> secure?
> Which ones do others use?
> Or do you avoid Gmail accounts?
>
> I use Thunderbird on Windows and K-9 mail on Android.

According to an article in Computer Active issue 361 Thunderbird 'is
regarded as secure by Google because it uses an authorisation protocol
called OAuth 2.0 to authenticate Gmail accounts'. Check that it is
selected in server settings.

--
TOJ.

Jeff Gaines

unread,
May 23, 2022, 11:33:27 AMMay 23
to
On 23/05/2022 in message <jf1jdf...@mid.individual.net> David wrote:

>>I use eM Client:
>>
>>https://www.emclient.com/
>>
>>Which has always worked with GMail AND Exchange for
>>email/contacts/calendars. Whether it will after 30 May I don't know but
>>it does 2 stage verification for both Google & Microsoft. Free for 2
>>email accounts.
>
>Thanks.
>
>Unfortunately I have significantly more than 2 email accounts and more
>than one computer.

You could always get a licence :-)

--
Jeff Gaines Dorset UK
Here we go it's getting close, now it's just who wants it most.

Algernon Goss-Custard

unread,
May 23, 2022, 12:12:49 PMMay 23
to
Andy Burns <use...@andyburns.uk> posted
>On 23/05/2022 14:37, David wrote:
>
>> Google has decided to turn of access to gmail accounts from 30th May.
>
>The simplest solution is to use oAuth2 from thunderbird for the gmail
>account, any recent thunderbird will be fine.
>
>Failing that, you have to enable two-step verification for your google
>account, and then you can create an app-specific password just for
>IMAP/POP access to gmail, you can't disable 2SV after that stage,
>because it will delete the app-specific passwords.

But we have just had Chris <ithi...@gmail.com> on alt.comp
software.thunderbird pointing us to
https://support.mozilla.org/en-US/kb/thunderbird-and-gmail
which says "As of May 30, 2022, Google no longer allows Less secure apps
access for Gmail accounts, thus oAuth is required."

Is oAuth going to be required, as Mozilla says, or is it not, as you
say? Do you blame us for being confused and worried?

--
Algernon

Andy Burns

unread,
May 23, 2022, 1:03:03 PMMay 23
to
Algernon Goss-Custard wrote:

> Andy Burns <use...@andyburns.uk> posted

> Is oAuth going to be required, as Mozilla says, or is it not, as you say? Do you
> blame us for being confused and worried?

It really isn't difficult ...

"insecure apps" is definitely going away in a week's time

"app passwords" is staying and will work with any IMAP/POP client that currently
works with insecure apps, but this in turn requires two step verification

"oauth2.0" is what google would really like you to use, recent thunderbird
works, ancient thunderbird doesn't, outlook express doesn't, turnpike doesn't.



John Rumm

unread,
May 23, 2022, 1:23:44 PMMay 23
to
On 23/05/2022 17:12, Algernon Goss-Custard wrote:
> Andy Burns <use...@andyburns.uk> posted
>> On 23/05/2022 14:37, David wrote:
>>
>>> Google has decided to turn of access to gmail accounts from 30th May.
>>
>> The simplest solution is to use oAuth2 from thunderbird for the gmail
>> account, any recent thunderbird will be fine.

> But we have just had Chris <ithi...@gmail.com> on alt.comp
> software.thunderbird  pointing us to
> https://support.mozilla.org/en-US/kb/thunderbird-and-gmail
> which says "As of May 30, 2022, Google no longer allows Less secure apps
> access for Gmail accounts, thus oAuth is required."
>
> Is oAuth going to be required, as Mozilla says, or is it not, as you
> say? Do you blame us for being confused and worried?

Erm, read carefully above :-)

OAUTH2 will be required, and thunderbird supports it.



--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

Andy Burns

unread,
May 23, 2022, 1:33:16 PMMay 23
to
On 23/05/2022 18:23, John Rumm wrote:

> Algernon Goss-Custard wrote:
>
>> Is oAuth going to be required, as Mozilla says, or is it not
>
> Erm, read carefully above :-)

That's mozilla's interpretation, not google's statement.

> OAUTH2 will be required, and thunderbird supports it.

Google currently have three IMAP/POP sign-on methods, one (insecure apps) is
going away, therefore two remain, app-passwords which even google say "aren’t
recommended and are unnecessary in most cases" and oauth2.0 which is what they
would prefer you to use.



Andy Burns

unread,
May 23, 2022, 2:18:51 PMMay 23
to
Tim Streater wrote:

> Andy Burns wrote:
>
>> Google currently have three IMAP/POP sign-on methods, one (insecure apps) is
>> going away, therefore two remain, app-passwords which even google say "aren’t
>> recommended and are unnecessary in most cases" and oauth2.0 which is what they
>> would prefer you to use.
>
> Right so for me the alternative to OAUTH2 is the same rigmarole I have to go
> through with Apple: developer account, certificates, code-signing,
> app-specific password, and notarisation. Once is enough

You only have to enter the 2FA *once* per device, then you can create your
app-password, and give it to thunderbird, thunderbird itself won't ask for 2FA
everytime you read your email.

if you leave Google's cookies alone, you will only have to signin with 2FA once
per device. Me? I prefer to nuke all cookies daily.

> so the hell with that
> too. In fact that's prolly why I persevered with OAUTH2 for a while. And it
> only works with the Apple setup because an app called AppWrapper appeared
> which does all the hard work. So for me these days, it's one click to
> code-sign, then prepare the distribution .dmg, then another click to submit
> for notarisation.
>
> This is how software erodes.



NY

unread,
May 23, 2022, 3:25:25 PMMay 23
to
"Andy Burns" <use...@andyburns.uk> wrote in message
news:jf1t21...@mid.individual.net...
What about Windows Live Mail. I'd like to continue using it for *all* my
email accounts, and not have to use Thunderbird for my Gmail account. I've
nothing against Thunderbird in principle for everything, but I'd want to be
able to import saved emails from WLM, and I much prefer WLM's architecture
of a separate file per email message rather than a separate file per email
folder.

If I have to set up 2-step verification, what are the implications? Does it
mean that I need to nominate a mobile phone so Gmail (web interface) can
send me a text code whenever I log on that way (eg to check for
non-delivered emails which may have been wrongly classified as spam). Is
there a step-by-step list of instructions for what needs to be done to
create an app-specific password that will allow a non-oAuth2 application to
access by POP/SMTP.

Is the change only affecting *receiving* or emails? Is sending (by SMTP)
affected also?

I've got to try to work out how to get the standard Samsung email
application on my Android phone to work. This is Android 8. I wonder if it
supports oAuth2? I can foresee a lot of work for computer consultants being
asked to restore working email on phones, tablets and PCs.

Andy Burns

unread,
May 23, 2022, 3:35:20 PMMay 23
to
NY wrote:

> Andy Burns wrote:
>
>> "oauth2.0" is what google would really like you to use, recent thunderbird
>> works, ancient thunderbird doesn't, outlook express doesn't, turnpike doesn't.
>
> What about Windows Live Mail. I'd like to continue using it for *all* my email
> accounts

out of luck, unfortunately.


Andy Burns

unread,
May 23, 2022, 3:40:11 PMMay 23
to

Tim Streater wrote:

> Andy Burns wrote:
>
>> then you can create your app-password, and give it to thunderbird
>
> I won't be giving it to Thunderbird, I'd be giving it to my app. So I should
> be having to add code to my app.

The good news is you have zero work to do to your app.

Keep your existing google username in the username field

put the new app-password in the password field instead of your main google
account password, that's it!

> Does Google describe what the protocol is, for this extra client <-> gmail
> communication?

it's just normal POP or IMAP, but with a different password.

NY

unread,
May 23, 2022, 3:59:59 PMMay 23
to
"Andy Burns" <use...@andyburns.uk> wrote in message
news:jf268m...@mid.individual.net...
Does that not also apply to WLM which could be configured to use an
app-specific password rather than the normal Gmail password?

I realise that Thunderbird can *alternatively* be configured to use oAuth2,
in which case I presume you use the normal Gmail password?

Andy Burns

unread,
May 23, 2022, 4:18:34 PMMay 23
to
NY wrote:

> Andy Burns wrote:
>
>> it's just normal POP or IMAP, but with a different password.
>
> Does that not also apply to WLM which could be configured to use an app-specific
> password rather than the normal Gmail password?

Yes it does, sorry I answered your earlier question too narrowly.

To use an app-password, does require you enable 2SV on your google account
(permanently) the 2SV can be done by either

having pop-up messages on your phone and/or tablet

or using a google authenticator app

or even using printed-out one-time passwords.

this will happen whenever you (but not thunderbird) logs into a google app, if
you allow cookies it won't be *every* time, I tend to clear cookies frequently.

> I realise that Thunderbird can *alternatively* be configured to use oAuth2, in
> which case I presume you use the normal Gmail password?

yep, which it turns into a token, and then that is stored in TB, rather than the
password.

Theo

unread,
May 23, 2022, 4:41:05 PMMay 23
to
But can't you still use it via an app password? I don't think there's any
apps which won't work any more, but for those without oauth you need to
configure 2SV and app passwords.

Theo

Andy Burns

unread,
May 23, 2022, 4:47:14 PMMay 23
to
Theo wrote:

> Andy Burns wrote:
>
>> NY wrote:
>>
>>> Andy Burns wrote:
>>>
>>>> "oauth2.0" is what google would really like you to use, recent thunderbird
>>>> works, ancient thunderbird doesn't, outlook express doesn't, turnpike doesn't.
>>>
>>> What about Windows Live Mail. I'd like to continue using it for *all* my email
>>> accounts
>>
>> out of luck, unfortunately.
>
> But can't you still use it via an app password?

yes, because NY only quoted my oAuth section, I answered in relation to WLM
supporting oAuth, see message below.

Not helped because in other groups there are folk who think Google will be
sending black helicopters to track them, the instant they enable 2SV :-)


Andy Burns

unread,
May 23, 2022, 5:30:05 PMMay 23
to
Tim Streater wrote:

> Now: this app-specific p/w - do I just choose a random string

google assigns the random string.

> and then perhaps
> via my google login, notify google that this is what it is, or does google
> give you one when one is setting up 2FA on the account?

Once you've enabled 2SV, there's a page where you can create one or more
app-passwords for various apps.



SteveW

unread,
May 23, 2022, 7:05:20 PMMay 23
to
On 23/05/2022 15:23, Andy Burns wrote:
> On 23/05/2022 14:37, David wrote:
>
>> Google has decided to turn of access to gmail accounts from 30th May.
>
> The simplest solution is to use oAuth2 from thunderbird for the gmail
> account, any recent thunderbird will be fine.
>
> Failing that, you have to enable two-step verification for your google
> account, and then you can create an app-specific password just for
> IMAP/POP access to gmail, you can't disable 2SV after that stage,
> because it will delete the app-specific passwords.

I'm glad that there seems to be a way to continue app specific access -
as I run a home server and all our email goes through that, but it also
picks up email from a number of accounts that we don't use day to day,
but need to know if important notifications arrive from them.

Andy Burns

unread,
May 24, 2022, 2:09:09 AMMay 24
to
SteveW wrote:

> I run a home server and all our email goes through that, but it also picks up
> email from a number of accounts that we don't use day to day, but need to know
> if important notifications arrive from them.

Not used it, but another approach could be

<https://github.com/simonrob/email-oauth2-proxy>


SteveW

unread,
May 24, 2022, 12:22:22 PMMay 24
to
Could be useful, but for now, I have done what you previously mentioned
and set up an app specific password - which is working fine.


#Paul

unread,
May 24, 2022, 2:32:06 PMMay 24
to
Andy Burns <use...@andyburns.uk> wrote:
> Algernon Goss-Custard wrote:
>
>> Andy Burns <use...@andyburns.uk> posted
>
>> Is oAuth going to be required, as Mozilla says, or is it not, as you
>> say? Do you blame us for being confused and worried?
>
> It really isn't difficult ...
>
> "insecure apps" is definitely going away in a week's time

Well, things that google chooses to label "insecure apps" are
going to be denied access, leaving many with a practical
problem of accessing email. But do not confuse google's claims
of "insecurity" with any sort of guaranteed truth; although some
email downloading software blocked by google might be insecure,
there is also long established and actively maintained software
which isn't insecure, and will still be blocked.



#Paul

Chris Green

unread,
May 24, 2022, 3:03:06 PMMay 24
to
#Paul <news20k...@threeformcow.myzen.co.uk> wrote:
> Andy Burns <use...@andyburns.uk> wrote:
> > Algernon Goss-Custard wrote:
> >
> >> Andy Burns <use...@andyburns.uk> posted
> >
> >> Is oAuth going to be required, as Mozilla says, or is it not, as you
> >> say? Do you blame us for being confused and worried?
> >
> > It really isn't difficult ...
> >
> > "insecure apps" is definitely going away in a week's time
>
> Well, things that google chooses to label "insecure apps" are
> going to be denied access, leaving many with a practical
> problem of accessing email.

" a practical problem of accessing *gmail*" maybe but there's nothing
forcing people into using gmail. Even Android users are perfectly at
liberty to use other email providers.

> But do not confuse google's claims
> of "insecurity" with any sort of guaranteed truth; although some
> email downloading software blocked by google might be insecure,
> there is also long established and actively maintained software
> which isn't insecure, and will still be blocked.
>

--
Chris Green
·

John Rumm

unread,
May 24, 2022, 8:48:24 PMMay 24
to
They should know google already knows enough about them to not make the
helicopter worthwhile :-)

Robert

unread,
May 25, 2022, 4:26:07 AMMay 25
to
I use Aquamail on Android, handles multiple mailboxes nicely and very
configurable. It is oAuth2 compliant !

SteveW

unread,
May 25, 2022, 5:29:03 AMMay 25
to
On 24/05/2022 17:53, Tim Streater wrote:
> As have I. Although I have to say I'm not sure how it counts as being that
> much more secure. Anyway, all I care about is that it looks like it won't
> obsolete my app, so thanks to Andy for that.

It does mean that your email program's access password is not the same
as your Google account's, so someone getting hold of your password will
be able to access your email, but not the rest of your account - which
with Google able to be used to log you in to all sorts of accounts and
to make payments, might matter.

lacksey

unread,
May 25, 2022, 6:06:41 AMMay 25
to
On Wed, 25 May 2022 19:28:57 +1000, SteveW <st...@walker-family.me.uk>
More likely the other way given that the new approach only
applys to gmail, making it harder for someone who pinches
your google password to access your other stuff.

SteveW

unread,
May 25, 2022, 7:25:31 AMMay 25
to
Email is probably the only Google function that you access with a
specific third-party app - which could leak the account details. To
enable a specific password, without 2fa for email, you have to turn on
2fa, which makes the rest of your account more secure than your email.

I don't think that they are trying to protect your email from the rest
of your account, just bringing the general level up, taking away the
system that let you use external email readers before, but implementing
a new system to allow you to continue using them without compromising
the new systems for everything else.

Andy Burns

unread,
May 25, 2022, 9:23:53 AMMay 25
to
Tim Streater wrote:

> That's all, in fact, that they have done, other than only allowing this if you
> agree to them having your phone number.

Giving them a phone number to allow a confirmation by text message or voice call
is one option for enabling 2SV, but it's not their preferred option, which is to
use an existing phone or tablet already signed-in to the the same google
account, the third option is a USB or NFC security dongle.

<http://andyburns.uk/misc/google-2sv.png>

After the initial sign-up, there is even an option to print out a batch of
one-time codes, to allow signing in when you don't have your phone or dongle
with you.

Peeler

unread,
May 25, 2022, 10:56:56 AMMay 25
to
On Wed, 25 May 2022 20:06:31 +1000, lacksey, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

<FLUSH the abnormal trolling senile cretin's latest trollshit unread>

--
Tim+ about trolling Rodent Speed:
He is by far the most persistent troll who seems to be able to get under the
skin of folk who really should know better. Since when did arguing with a
troll ever achieve anything (beyond giving the troll pleasure)?
MID: <1421057667.659518815.743...@news.individual.net>

lacksey

unread,
May 25, 2022, 1:41:04 PMMay 25
to
On Wed, 25 May 2022 21:25:26 +1000, SteveW <st...@walker-family.me.uk>
Lots of stuff allows you to use google to login now.

> To enable a specific password, without 2fa for email, you have to turn
> on 2fa, which makes the rest of your account more secure than your email.

> I don't think that they are trying to protect your email from the rest
> of your account, just bringing the general level up, taking away the
> system that let you use external email readers before, but implementing
> a new system to allow you to continue using them without compromising
> the new systems for everything else.

But if you don't use gmail, you don't need to change anything.

Peeler

unread,
May 25, 2022, 2:15:09 PMMay 25
to
On Thu, 26 May 2022 03:40:57 +1000, lacksey, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

<FLUSH the abnormal trolling senile cretin's latest trollshit unread>

--
Bod addressing abnormal senile quarreller Rodent Speed:
"Do you practice arguing with yourself in an empty room?"
MID: <g4ihla...@mid.individual.net>

SteveW

unread,
May 25, 2022, 3:57:14 PMMay 25
to
Yes, but not the other way around.

>> To  enable a specific password, without 2fa for email, you have to
>> turn on 2fa, which makes the rest of your account more secure than
>> your email.
>
>> I don't think that they are trying to protect your email from the rest
>> of your account, just bringing the general level up, taking away the
>> system that let you use external email readers before, but
>> implementing a new system to allow you to continue using them without
>> compromising the new systems for everything else.
>
> But if you don't use gmail, you don't need to change anything.

Agreed, but then you'd not have third party app to potentially
compromise your password.

N_Cook

unread,
May 30, 2022, 7:06:26 AMMay 30
to
On 23/05/2022 14:37, David wrote:
> Google has decided to turn of access to gmail accounts from 30th May.
>
> Does anyone have a list of email clients which are considered to be secure?
> Which ones do others use?
> Or do you avoid Gmail accounts?
>
> I use Thunderbird on Windows and K-9 mail on Android.
>
> I have no desire to be forced to use webmail.
>
> Cheers
>
>
>
> Dave R
>
>

Still had normal gmail access 11:30 BST today via Thunderbird v15, I
think, cookies enabled but as ancient i assumed it would cease gmail
function.
Due to this thread I checked via library access and web browser last
week and secondary authorising via ref to a defunct email account I used
to have. Again library access today about 10:30 and simple PW only
access . I thought libraries wiped all cookies after each person's
session????
Perhaps cuts in 9am CPT or something yanky

--
Global sea level rise to 2100 from curve-fitted existing altimetry data
<http://diverse.4mg.com/slr.htm>

The Natural Philosopher

unread,
May 30, 2022, 7:30:52 AMMay 30
to
On 30/05/2022 12:06, N_Cook wrote:
> On 23/05/2022 14:37, David wrote:
>> Google has decided to turn of access to gmail accounts from 30th May.
>>
>> Does anyone have a list of email clients which are considered to be
>> secure?
>> Which ones do others use?
>> Or do you avoid Gmail accounts?
>>
>> I use Thunderbird on Windows and K-9 mail on Android.
>>
>> I have no desire to be forced to use webmail.
>>
>> Cheers
>>
>>
>>
>> Dave R
>>
>>
>
> Still had normal gmail access 11:30 BST today via Thunderbird v15, I
> think, cookies enabled but as ancient i assumed it would cease gmail
> function.
> Due to this thread I checked via library access and web browser last
> week and secondary authorising via ref to a defunct email account I used
> to have. Again library access today about 10:30 and simple PW only
> access . I thought libraries wiped all cookies after each person's
> session????
> Perhaps cuts in 9am CPT or something yanky
>
I am using Thunderbird for gmail. I enabled the 'use insecure
application' bollox.

settings are

SMTP
====
port 465 on smtp.gmail.com using :SSL/TLS security and method: Oauth2

POP
===
port 995 on pop.gmail.com using :SSL/TLS security and method: Oauth2

I have also had IMAP working but prefer to delete messages off the
server - I only use gmail for where I need a google account.

HTH
--
All political activity makes complete sense once the proposition that
all government is basically a self-legalising protection racket, is
fully understood.

Andy Burns

unread,
May 30, 2022, 8:04:02 AMMay 30
to
On 30/05/2022 12:06, N_Cook wrote:

> Due to this thread I checked via library access and web browser last week

Nothing's going to change for web browser access to gmail, only email client
access ...

Andy Burns

unread,
May 30, 2022, 8:05:13 AMMay 30
to
The Natural Philosopher wrote:

> I am using Thunderbird for gmail. I enabled the 'use insecure application' bollox.

That is what they are due to disable, you need to either use oauth2, or create a
thunderbird specific password.



N_Cook

unread,
May 30, 2022, 9:05:26 AMMay 30
to
web access , only testing, as a last resort if required, otherwise
un-installed latest version of TB on a thumbstick, left unexecuted so far.
It was bad enough 10 years or so ago, but now there is a phenominal
amount of irrelevant (to emal) crap on web-browser "gmail" , alright for
those who like playing the video game , whack-a-mole on infuriating
irrelvant popups I suppose.

The Natural Philosopher

unread,
May 30, 2022, 10:08:21 AMMay 30
to
Oauth2 *is* 'insecure application' IIRC..

--
New Socialism consists essentially in being seen to have your heart in
the right place whilst your head is in the clouds and your hand is in
someone else's pocket.

Andy Burns

unread,
May 30, 2022, 10:09:59 AMMay 30
to
On 30/05/2022 15:08, The Natural Philosopher wrote:

> Oauth2 *is* 'insecure application' IIRC..

no, in google's eyes oAuth2 is the "gold standard" they want everyone to use.


Robin

unread,
May 30, 2022, 10:39:50 AMMay 30
to
On 30/05/2022 14:05, N_Cook wrote:
> On 30/05/2022 13:03, Andy Burns wrote:
>> On 30/05/2022 12:06, N_Cook wrote:
>>
>>> Due to this thread I checked via library access and web browser last
>>> week
>>
>> Nothing's going to change for web browser access to gmail, only email
>> client access ...
>>
>
> web access , only testing, as a last resort if required, otherwise
> un-installed latest version of TB on a thumbstick, left unexecuted so far.
> It was bad enough 10 years or so ago, but now there is a phenominal
> amount of irrelevant (to emal) crap on web-browser "gmail" , alright for
> those who like playing the video game , whack-a-mole on infuriating
> irrelvant popups I suppose.
>

Just checked a Gmail a/c in https://mail.google.com/... using Firefox
100.0.2 (64-bit). Even with AdBlock Plus enabled I get no ads, no
pop-ups, no videos etc. I just get mail. Why am I being discriminated
against?

--
Robin
reply-to address is (intended to be) valid

Robin

unread,
May 30, 2022, 11:02:54 AMMay 30
to
Ahem, also true with AdBlockPlus /disabled/

The Natural Philosopher

unread,
May 31, 2022, 6:59:31 AMMay 31
to
Ah, then its pop mail that is an insecure app. Or summat. I dunno. They
just kept barfing at me till I 'fixed' it.



--
“Ideas are inherently conservative. They yield not to the attack of
other ideas but to the massive onslaught of circumstance"

- John K Galbraith

bert

unread,
May 31, 2022, 9:51:07 AMMay 31
to
In article <jfk6mh...@mid.individual.net>, Tim Streater
<timst...@greenbee.net> writes
>The app-specific password I did with gmail last week seems to be working fine
>here.
>
How do you get such a password?

--
bert

Andy Burns

unread,
May 31, 2022, 11:52:38 AMMay 31
to
bert wrote:

> Tim Streater writes
>
>> The app-specific password I did with gmail last week seems to be working fine
>> here.
>>
> How do you get such a password?

First you need to enable two-step verification

<https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome>

Then you can create app-specific passwords, but you can't turn off 2SV, or the
app-specific passwords will be deleted

Are you also using turnpike for email? If not then enabling oAuth2 in your
email client may well be less disruptive ...



bert

unread,
May 31, 2022, 3:28:50 PMMay 31
to
In article <jfmru1...@mid.individual.net>, Andy Burns
<use...@andyburns.uk> writes
Thanks for that and yes I am still using TP for email.
--
bert

bert

unread,
May 31, 2022, 3:28:50 PMMay 31
to
In article <jfmupi...@mid.individual.net>, Tim Streater
<timst...@greenbee.net> writes
>The following is from a note I will be sending to users of my app:
>
>What I have found is that one can continue with the existing app by using
>something called an app-specific password. I'm doing this and it seems to
>work. Here's how.
>
>Firstly, you'll need to logon to your gmail account, and under "Manage
>account", choose "Security". Then, choose to enable Two-step-verification, or
>2SV as they call it (also known as 2FA, or "two factor authentication"). This
>will take you through a sequence where you signup your smart phone to receive
>a code to enter, in addition to your password, at your sign in to Google from
>a device you've not signed in from previously.
>
>Having done this, return to your Security page, and in the part on "Signing in
>to Google", you'll see the section about "App Passwords". Expand that section
>next. Where you see "Select device" in that section, choose your device type.
>Then, where it says "Select App", choose "Other" and enter the name of your
>email client. Now you can click "Generate". This will put up a pane with a
>password in large type that you need to copy (with ctrl/cmd-c or similar) to
>the clipboard.
>
>Now switch to your email client and open the Preferences. Choose your gmail
>account, highlight the password field, and paste (with ctrl/cmd-v or similar)
>the password you copied above into the password field. Then click Save.
>
>End of.
>
Thanks
--
bert

Algernon Goss-Custard

unread,
Jun 1, 2022, 2:17:52 AMJun 1
to
Tim Streater <timst...@greenbee.net> posted
>
>The following is from a note I will be sending to users of my app:
>
>What I have found is that one can continue with the existing app by using
>something called an app-specific password. I'm doing this and it seems to
>work. Here's how.
>
>Firstly, you'll need to logon to your gmail account, and under "Manage
>account", choose "Security". Then, choose to enable Two-step-verification, or
>2SV as they call it (also known as 2FA, or "two factor authentication"). This
>will take you through a sequence where you signup your smart phone to receive
>a code to enter, in addition to your password, at your sign in to Google from
>a device you've not signed in from previously.
>
>Having done this, return to your Security page, and in the part on "Signing in
>to Google", you'll see the section about "App Passwords". Expand that section
>next. Where you see "Select device" in that section, choose your device type.
>Then, where it says "Select App", choose "Other" and enter the name of your
>email client. Now you can click "Generate". This will put up a pane with a
>password in large type that you need to copy (with ctrl/cmd-c or similar) to
>the clipboard.
>
>Now switch to your email client and open the Preferences. Choose your gmail
>account, highlight the password field, and paste (with ctrl/cmd-v or similar)
>the password you copied above into the password field. Then click Save.


Yes, that seems to have worked for me without having to bother with
OAuth2 etc.


--
Algernon

N_Cook

unread,
Jun 2, 2022, 9:36:32 AMJun 2
to
On 30/05/2022 14:05, N_Cook wrote:
> On 30/05/2022 13:03, Andy Burns wrote:
>> On 30/05/2022 12:06, N_Cook wrote:
>>
>>> Due to this thread I checked via library access and web browser last
>>> week
>>
>> Nothing's going to change for web browser access to gmail, only email
>> client access ...
>>
>
> web access , only testing, as a last resort if required, otherwise
> un-installed latest version of TB on a thumbstick, left unexecuted so far.
> It was bad enough 10 years or so ago, but now there is a phenominal
> amount of irrelevant (to emal) crap on web-browser "gmail" , alright for
> those who like playing the video game , whack-a-mole on infuriating
> irrelvant popups I suppose.
>

Blocked from gmail access today , presumably about 12:00 GMT today, no
explanation returned other than "enter new password"

N_Cook

unread,
Jun 3, 2022, 3:54:53 AMJun 3
to
On 02/06/2022 17:05, Tim Streater wrote:
> On 02 Jun 2022 at 14:36:28 BST, N_Cook <div...@tcp.co.uk> wrote:
>
>> On 30/05/2022 14:05, N_Cook wrote:
>>> On 30/05/2022 13:03, Andy Burns wrote:
>>>> On 30/05/2022 12:06, N_Cook wrote:
>>>>
>>>>> Due to this thread I checked via library access and web browser last
>>>>> week
>>>>
>>>> Nothing's going to change for web browser access to gmail, only email
>>>> client access ...
>>>
>>> web access , only testing, as a last resort if required, otherwise
>>> un-installed latest version of TB on a thumbstick, left unexecuted so far.
>>> It was bad enough 10 years or so ago, but now there is a phenominal
>>> amount of irrelevant (to emal) crap on web-browser "gmail" , alright for
>>> those who like playing the video game , whack-a-mole on infuriating
>>> irrelvant popups I suppose.
>>
>> Blocked from gmail access today , presumably about 12:00 GMT today, no
>> explanation returned other than "enter new password"
>
> Did you not read my post about what you need to do, from a few days ago?
>

Normal gmail service returned by the evening.
Your previous info saved but not acted on yet.
I observe the principle, If it aint broke , don't fix it,
; as often other problems emerge when updating/altering/reconfiguring
something that was otherwise working normally.

NY

unread,
Jun 3, 2022, 7:20:22 AMJun 3
to
"N_Cook" <div...@tcp.co.uk> wrote in message
news:t7ceo8$3qnqb$1...@dont-email.me...
>>> Blocked from gmail access today , presumably about 12:00 GMT today, no
>>> explanation returned other than "enter new password"
>>
>> Did you not read my post about what you need to do, from a few days ago?
>>
>
> Normal gmail service returned by the evening.
> Your previous info saved but not acted on yet.
> I observe the principle, If it aint broke , don't fix it,
> ; as often other problems emerge when updating/altering/reconfiguring
> something that was otherwise working normally.

I've seen the same thing. Windows Live Mail gave a bad password response
(popup for POP username/password) yesterday. I didn't get round to checking
my Gmail mailbox via webmail until this morning. I then confirmed that
Thunderbird and the Samsung "Mail" app on my Android phone both worked
because they were already configured to use OAuth2. I was all set to have to
working out how to turn on 2FA so I could define an app-specific password
for WLM, but when I checked for mail just now, it received recent messages.

I too am inclined leave well alone - if it continues to work, all well and
good. If it starts failing permanently, then I'll either set up Thunderbird
on my PC, just for the GMail account, or else I'll look into 2FA and
app-specific password.

I really would like to continue using WLM if I can, but Thunderbird is a
possibility, assuming there is a way of importing saved mail from WLM.

It's a shame that MS abandoned WLM, and their only solutions are the Win 10
"Mail" app (which is nobbut a toy!) or Outlook (which is a pain to configure
and test, doesn't allow you to export mail settings to .iaf files once
you've got everything setup, and saves all your mail to one humungous .pst
file which needs to be backed up entirely, unlike WLM where you are only
saving new/changed/deleted messages so there's much less to backup.
Thunderbird is like Outlook Express: you backup individual mail folders, so
it's a half-way house between WLM and Outlook.

bert

unread,
Jun 3, 2022, 10:26:52 AMJun 3
to
In article <jfuak5...@mid.individual.net>, Tim Streater
<timst...@greenbee.net> writes
>On 03 Jun 2022 at 12:20:15 BST, "NY" <m...@privacy.invalid> wrote:
>
>> "N_Cook" <div...@tcp.co.uk> wrote in message
>> news:t7ceo8$3qnqb$1...@dont-email.me...
>>>>> Blocked from gmail access today , presumably about 12:00 GMT today, no
>>>>> explanation returned other than "enter new password"
>>>>
>>>> Did you not read my post about what you need to do, from a few days ago?
>>>>
>>>
>>> Normal gmail service returned by the evening.
>>> Your previous info saved but not acted on yet.
>>> I observe the principle, If it aint broke , don't fix it,
>>> ; as often other problems emerge when updating/altering/reconfiguring
>>> something that was otherwise working normally.
>>
>> I've seen the same thing. Windows Live Mail gave a bad password response
>> (popup for POP username/password) yesterday. I didn't get round to checking
>> my Gmail mailbox via webmail until this morning. I then confirmed that
>> Thunderbird and the Samsung "Mail" app on my Android phone both worked
>> because they were already configured to use OAuth2. I was all set to have to
>> working out how to turn on 2FA so I could define an app-specific password
>> for WLM, but when I checked for mail just now, it received recent messages.
>>
>> I too am inclined leave well alone - if it continues to work, all well and
>> good. If it starts failing permanently, then I'll either set up Thunderbird
>> on my PC, just for the GMail account, or else I'll look into 2FA and
>> app-specific password.
>
>Well obvs, if your email client has implemented OAuth2, then there's nothing
>you need do except ensure it's used for gmail. Those clients that haven't, or
>as in my case won't, implement that can use the procedure I outlined.
>
Day 3 and my set up, unchanged, is still working.
--
bert

bert

unread,
Jun 4, 2022, 4:36:16 PMJun 4
to
In article <jfuu9j...@mid.individual.net>, Tim Streater
<timst...@greenbee.net> writes
>Well bully for you. So your point was *what*, precisely?
>
Nothing really. Just saying. Maybe UK servers will be changed after bank
holiday but it should have stopped working as of 301st May should it
not.
--
bert

Andy Burns

unread,
Jun 4, 2022, 4:52:06 PMJun 4
to
On 04/06/2022 21:27, bert wrote:

> Maybe UK servers will be changed after bank holiday
> but it should have stopped working as of 301st May should it not.

It changed for me on the 30th, old logins no longer work, oauth2 still works,
seems they are doing it as a phased change, based in god-knows what order.


Tim Lamb

unread,
Jun 4, 2022, 5:06:13 PMJun 4
to
In message <jg1uvi...@mid.individual.net>, Andy Burns
<use...@andyburns.uk> writes
They have a 9 Month *inactive account* notification warning on my rarely
used address.

--
Tim Lamb

Robin

unread,
Jun 4, 2022, 5:15:20 PMJun 4
to
On 04/06/2022 21:27, bert wrote:
No. It all depends on *what* you are using and *how*.

I have/look after several gmail accounts which have continued to work.
They are all using IMAP in MS Outlook 2019. That supports OAuth2 for IMAP.

OTOH the several accounts using POP stopped working at the end of May
until given app passwords - just as Andy Burns said.

Andy Burns

unread,
Jun 4, 2022, 5:32:13 PMJun 4
to
Tim Streater wrote:

> Andy Burns wrote:
>
>> It changed for me on the 30th, old logins no longer work, oauth2 still works,
>> seems they are doing it as a phased change, based in god-knows what order.
>
> What makes you think that?

because some people (americans) are saying it still works with standard
password, without oauth, without app-specific.

I tried reverting from oauth2 to standard password, and it no longer accepted it.

>They did the change, now any email client either
> has to do OAUTH2 or use an app-specific password. That's all there is to it,

But the change doesn't seem to have affected everyone *yet*


bert

unread,
Jun 6, 2022, 1:06:39 PMJun 6
to
In article <faeb1199-7e50-838e...@outlook.com>, Robin
<r...@outlook.com> writes
Mine still working.
--
bert

bert

unread,
Jun 8, 2022, 11:55:04 AMJun 8
to
In article <BDlllKBx...@ghcq.uk>, bert <be...@bert.bert.com> writes
>In article <faeb1199-7e50-838e...@outlook.com>, Robin
><r...@outlook.com> writes
>>On 04/06/2022 21:27, bert wrote:
>>> In article <jfuu9j...@mid.individual.net>, Tim Streater
>>><timst...@greenbee.net> writes
>>>> On 03 Jun 2022 at 15:11:04 BST, bert <be...@bert.bert.com> wrote:
>>>>
>>>>> In article <jfuak5...@mid.individual.net>, Tim Streater
>>>>> <timst...@greenbee.net> writes
>>>>>> On 03 Jun 2022 at 12:20:15 BST, "NY" <m...@privacy.invalid> wrote:
>>>>>>
>>>>>>> "N_Cook" <div...@tcp.co.uk> wrote in message
>>>>>>> news:t7ceo8$3qnqb$1...@dont-email.me...
>>>>>>>>>> Blocked from gmail access today , presumably about 12:00 GMT
>>>>>>>>>>
Stopped yesterday but followed Tim's procedure (thanks Tim) and all up
and running again.
Google 1 Bert 0 AET
--
bert

bert

unread,
Jun 8, 2022, 12:25:03 PMJun 8
to
In article <BMkV2mALRMoiFAj$@ghcq.uk>, bert <be...@bert.bert.com> writes
Spoke too soon. Can receive but can't send
"Application specific password required"
--
bert

Andy Burns

unread,
Jun 8, 2022, 12:30:35 PMJun 8
to
bert wrote:

> Spoke too soon. Can receive but can't send
> "Application specific password required"

As well as changing your POP or IMAP account to oauth, did you set the relevant
SMTP account too?


N_Cook

unread,
Jun 8, 2022, 1:41:55 PMJun 8
to
On 08/06/2022 17:14, bert wrote:
> Spoke too soon. Can receive but can't send
> "Application specific password required"
> --

Lost TB imap contact with gmail lunchtime yesterday , not reverted of
6pm today.
Could access via webmail at the public library today, by single normal
pw dialogue box, previous requiring second confirmation route, I thought
that would be lost on logout as library policy supposedly deleting all
cookies, very strange .
So probably tomorrow will try the latest version of thundderbird after
settings print screen savings.

critcher

unread,
Jun 13, 2022, 6:21:57 AMJun 13
to
On 23/05/2022 14:37, David wrote:
> Google has decided to turn of access to gmail accounts from 30th May.
>
> Does anyone have a list of email clients which are considered to be secure?
> Which ones do others use?
> Or do you avoid Gmail accounts?
>
> I use Thunderbird on Windows and K-9 mail on Android.
>
> I have no desire to be forced to use webmail.
>
> Cheers
>
>
>
> Dave R
>
>
OBVIOUSLY THEY ARE TRYING TO TAKE OVER THE WORLD, AND MAKE EVERYTHING
IMPOSSIBLE WITHOUT THEIR TECHNOLOGY.

Andy Burns

unread,
Jun 13, 2022, 3:04:20 PMJun 13