How to use Google application-specific password in script?

My python scripts stopped sending e-mails, so I generated the application specific password, changed my script utility gmail account (e.g., [email protected]) to that password and then successfully used that password (e.g. 'applicationpassw') through the following python script fragment (sorry, no complete example).

email = SMTPHandler(mailhost=('smtp.gmail.com',587),
    fromaddr='[email protected]',
    toaddrs=['[email protected]'],
    subject= webSite + ' not working',
    credentials=('[email protected]','applicationpassw'),
    secure=())
logger.addHandler(email)

So it appears, at least with python 3.6.5 on Windows 10, that all one needs to do is change to using the sixteen char application specific password on the account and in the application.


Are you absolutely sure that you want to use 2-factor auth with the shell scripts? If so, you don't need to try to get your computer or script as "trusted". You just do the full 2-factor auth every time you run the script.

If the target is to skip the manual second factor auth, I'd suggest using application-specific password instead (as already suggested by other answers). Just pretend that you're not using 2-factor auth at all and use your real login name but set password to one generated at https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en (subpage of https://www.google.com/settings/security).

The intent is to set Application-specific password "Name" to a value that is meaningful to you. For example, I have passwords labeled "Pidgin at work", "My Android Phone", "Thunderbird Google Address Book Extension at Work" etc. You could have one for "Calendar and Reader Export Script". If you ever believe that this Application-specific password is compromised ("leaked"), just hit the "Revoke" link on the same page and then generate a new password for your script.

For the code, just use the last version that worked with Google single factor auth. Update: because the original question used URL https://accounts.google.com/ServiceLogin for initiating the session login it's practically faking browser login. However, Google does not officially support this and as I'm writing this, it seems that using application specific password for normal login will end up with error message "Please use your account password instead of an application-specific password".

One thing to understand about the Google 2-factor auth and "trusted computer" is that the actual implementation just adds a permanent cookie with 30 days expiry time to your browser. Trusted computer does not mean your IP address were trusted or some other magical connection were created. Unless your scripts capture the "trusted computer" cookie from your browser of choice, it does not matter at all if you've ever marked your computer as trusted. (The Google form should not say "Remember this computer for 30 days" but "Trust this browser and user account combination for 30 days (save permanent cookie)". However, I guess that was considered too technical...)

Update: (copied from my comment below) The only officially supported method (Server to Server applications) is documented at https://developers.google.com/accounts/docs/OAuth2ServiceAccount. It requires OAuth/JWT encoding the request and using Service Account private key created at https://code.google.com/apis/console. As an alternative you could use ClientLogin authentication (already deprecated, best effort service until 2015).

If you decide to go with OAuth, you might want to look at http://blog.yjl.im/2010/05/bash-oauth.html and https://github.com/oxys-net/curl-oauth