Google Account: implications of using application-specific passwords

You wrote (emphasis mine):

The higher the number of application-specific passwords the higher the chances are of a brute force attack succeeding.

These passwords have a fixed length and don't contain numbers or symbols, which make them more susceptible to brute force attacks than a password with unknown length containing letters, numbers and symbols.

Short answer: Not in any practical way.

Long answer:

Do the math: 16 lower case letters allows 26^16 different passwords, that is more than 10^22 = 10 × 1000^7 = ten sextillion possible passwords.

If the password is chosen randomly with equal probabilities (we have no reason to believe it is not the case), the odds of breaking the password by brute force are negligible, even if Google does not notice the attack and does not take any counter measure.

Even with 100 application specific passwords for one Google account, there is no way anyone would try this attack. The "susceptibility" to brute force attacks is zero.

And it is much easier on many smart phones to type a password made of only lower case letter than a combination of letters and digit or mixed-case letters (for the same number of possible passwords).

You also wrote:

Google does not automatically disable app-specific passwords when they are suddenly used out of their expected context (e.g. to access e-mail even though it was set up for Chrome sync).

That is the only real security issue here.


You can NOT sign in to your account with an application specific password

Application-specific passwords cannot change security settings, only access email and chat. So you can have you privacy compromised, but your account cannot be hijacked.

Here is what happens when you try and login to change your account settings using an application specific password:

google login


First of all, two factor authentication clearly protects your primary email account from malicious attacks. Attackers cannot directly gain access to your email account without access to your phone.

This is better than not enabling two factor authentication as there is an added layer of protection.

What the app-specific password does is provide a clear separation from your email account. It gives a way for applications to access the information from your account without having to divulge the password of your email.

As you can see from your pictures, you can monitor the activity of the app-specific password. If anything is out of the ordinary, you can revoke access of the password.

It might is possible to bruteforce the password, but it has less impact than bruteforcing your main account password. Damage control is easier to implement as you can revoke passwords when needed.

Enabling two-factor authentication by Google has no downsides, except for the slight inconvenience of having to reach for your phone or generating a new app-specific password when you need it.