If you are like me and love a good bit of extra security, then you would have jumped at the chance to enable the 2-factor authentication on your Google account like I did.
It all seams like a pretty good setup: for every standard Google login you use your normal password and a randomly generated security code which you can get from an Android App or sent via SMS message (I think there are other options too). For anything else (like IMAP, gTalk clients, etc), you generate a random application-specific password to use for that application alone.
Pretty secure right? For most people it must be, but not for me…
So, why did it lower my security?
My Google password is 16 characters long with lower case letters, upper case letters, a couple of numbers, and a couple of random characters. It’s considered very secure by most people, and should be quite hard for a script to crack or randomly guess (although my wife thinks it is ridiculously complicated!). Add to this password the 2nd factor of authentication from the app on my phone, and I have a pretty secure login to Google.
But, let’s look at the application-specific passwords:
Since I use IMAP with Thunderbird at work, gTalk through Empathy, and a couple of other things, I need to set up application-specific passwords. I currently have 6 in my account. The automatically generated application-specific passwords are 16 characters long, with lower case and numbers only. Now, if you compare this with my original password, this is a lot simpler to crack or guess. Also note, there are now 7 possible passwords that get into my account. By anyones logic, I have just reduced my security significantly.
So, what do I do? What do you think about this situation? Should I go back to simply having one password, or stick with the 2-factor knowing that I can easily remove compromised passwords without affecting all my systems. Or have I overlooked something that makes this system a lot more secure than I realise?
Please leave your thoughts and comments below 
Update: Manki left a fantastic comment explaining why the security is still better with the application-specific passwords which I suggest everyone reads before taking my rant as a “oh no, 2-factor auth is bad”.
This thought irked me a little too. A little thinking made things clearer. The idea behind app-specific password is enabling 2-factor authentication for protocols that don’t support 2-step authentication, like POP or IMAP.
If I get to know your primary password, I cannot access your account from the browser (because I won’t have the verification code) as well as from a client like Outlook (because they won’t accept your primary password).
App-specific passwords are applicable only to thick clients that *require* you to give your password to. You cannot use app-specific passwords in the browser. This means that if I get access to one of your app-specific passwords, I cannot log into your Blogger account or change your Gmail filters. Indeed, I can read your mail and impersonate you on chat. But I cannot, for example, lock you out of your account. Seems to me like a fair compromise. (It would be good if Google lists out what operations are possible with app-specific password.)
It’s inconvenient, yes, but I’ll not disable 2-factor for my Google account. It *is* added security.
Manki,
That is a really good point, and it does make me feel better about using it. Another point I thought about which relates directly to what you said is that if an app-specific password is compromised, then you can easily remove it without affecting other logins and passwords.
“It would be good if Google lists out what operations are possible with app-specific password.”
This would be fantastic if Google could implement ACL for the passwords. Would significantly increase the security.
[...] только пожалеть, что генерирумые пароли так — относительно — [...]
[...] habe darauf im Netz noch etwas recherchiert und bin auf einen weiteren Blogbeitrag sowie einen Eintrag im Google Apps Forum gestossen, wo es ebenfalls um dieses Thema [...]
The application specific password is really not “application specific”.
I could log in to IMAP account using Windows Live mail application and also use the same password for adding the gmail account on my android phone.
Yeah, it’s not ‘Application Limited’, but rather allows you to create a password for each ‘Application’ and manage it yourself without limiting access.
It would be nice if you could specify permissions, i.e. only allow IMAP and SMTP access, or authentication validation only. *shrugs* It’s better than nothing.
But if the app-specific password was compromised, then accessing your emails is still pretty bad, especially if you use your gmail address to register with other sites, in which case the forgotten password message goes straight to the attacker.
It’s not different from your primary password being compromised. The only difference is, when you discover the breach, you can disable that specific password without needing to change the others.
But yes, I agree, it is a design flaw.