A 3-minute video focused specifically on personal Gmail accounts (the @gmail.com kind). Walks through 5 steps to generate the 16-character app password you need to connect Gmail to Outlook, Thunderbird, Apple Mail or iPhone Mail. If you have a Google Workspace account on a custom domain instead, see our companion Gmail and Google Workspace app password guide.
Video Transcript
Hello and welcome. This video shows how to create an app password for a personal Gmail account, which means an account ending in @gmail.com. Google requires this 16-character password for any third-party app or email client that wants to access your Gmail using IMAP or SMTP basic auth. The 16-character app password works as a substitute for your regular Gmail password in clients like Outlook, Thunderbird, Apple Mail, iPhone Mail or scripts and tools that connect to Gmail.
Step one. Open myaccount.google.com in a browser and sign in to the Gmail account you want to enable. Click Security in the left sidebar.
Step two. Two-Step Verification must be on for app passwords to be available. If 2-Step Verification is off, click 2-Step Verification and turn it on now using SMS, Google Prompt, or an authenticator app like Google Authenticator or Authy.
Step three. Once 2FA is on, go directly to myaccount.google.com slash apppasswords. This is the fastest path. Or from the Security page, search for App passwords in the page search bar.
Step four. Type a clear name describing where you will use this password. Examples: Outlook on Office Laptop, iPhone Mail at Home, Backup Tool. Click Create. Google generates a 16-character code displayed in a yellow popup. Copy it immediately, you cannot view it again later.
Step five. Paste this 16-character password into your email client where it asks for your Gmail password. Use server settings imap.gmail.com on port 993 with SSL for incoming, smtp.gmail.com on port 465 with SSL or 587 with TLS for outgoing. Username is your full email address ending in at gmail.com. Test by sending yourself an email. If it arrives, the setup works. Thanks for watching.
Personal Gmail vs Google Workspace: Which Page Do You Need?
This is the page for personal Gmail accounts. If your email address ends in @gmail.com (e.g. yourname@gmail.com), you are in the right place. The procedure below is the simplest possible path because personal Gmail accounts have no admin layer above them, so you control 2-Step Verification and app password creation entirely on your own.
If your email address is on a custom domain (e.g. yourname@yourcompany.com) you have a Google Workspace account, not a personal Gmail account. The steps differ slightly because your Workspace administrator can disable 2FA, app passwords or both at the organisation level. We have a companion guide that covers both account types side by side, with specific notes on what changes when an admin policy gets in the way.
For the rest of this page we assume you have a regular @gmail.com account and full control over your security settings. The pace is brisk: 5 steps, around 3 minutes start to finish, and you will have a working app password ready to paste into Outlook, Thunderbird, Apple Mail or any other IMAP client.
Why You Need an App Password for Personal Gmail
Personal Gmail blocks third-party email clients from logging in with your normal Gmail password the moment you turn on 2-Step Verification. The reason: 2FA is designed to require a second factor (phone, authenticator app, security key) at every login, but most email clients cannot handle that prompt natively. They speak the original IMAP and SMTP protocols which only know about basic username + password auth. Without a workaround, 2FA would lock out every desktop email client.
The workaround is the app password: a 16-character code that the email client uses in place of your regular Gmail password. Each app password is tied to your account but separate from your main credentials. If a device is lost or compromised, you revoke the app password from that device only, and your main Gmail password and 2FA stay intact. Google's official documentation on app passwords explains the design intent and the security properties in detail.
App passwords replaced the old Less Secure Apps toggle, which Google removed in May 2022. Older tutorials that mention "enable less secure apps" are now outdated, the toggle no longer exists in any Google account. App passwords are the modern path.
Gmail Server Settings (Reference Card)
You will need these settings when configuring your email client. Save or screenshot for reference. They are the official server settings documented by Google.
| Setting | Value |
|---|---|
| Incoming server (IMAP) | imap.gmail.com |
| Incoming port | 993 with SSL/TLS required |
| Outgoing server (SMTP) | smtp.gmail.com |
| Outgoing port (SSL) | 465 with SSL/TLS |
| Outgoing port (TLS) | 587 with STARTTLS, use this if your network blocks 465 |
| Username | Your full Gmail address (e.g. yourname@gmail.com), not just the prefix |
| Password | The 16-character app password generated below, NOT your regular Gmail password |
| Authentication | Required for both incoming and outgoing. Tick "My outgoing server requires authentication" in Outlook |
| Pre-requirement | IMAP must be enabled in Gmail Settings > Forwarding and POP/IMAP. Personal Gmail typically has IMAP enabled by default |
5 Steps to Generate Your Personal Gmail App Password
-
Open myaccount.google.com in a desktop browser. Sign in to the Gmail account you want to enable. Click Security in the left sidebar (or top navigation depending on screen size).
-
Confirm 2-Step Verification is on. Look for it in the "How you sign in to Google" section. If it shows Off, click 2-Step Verification, then click Turn on and follow the prompts. Set up your second factor: SMS verification, Google Prompt on your phone, or an authenticator app like Google Authenticator, Authy, or 1Password. App passwords only become visible after 2FA is on.
-
Open myaccount.google.com/apppasswords directly in your browser. This is the fastest path. As a backup, from the main Security page, you can use the page search bar (top right) to find App passwords if it is buried in the new layout.
-
In the App password name field, type a clear, descriptive name like Outlook on Office Laptop, iPhone 15 Mail at Home, or Python Gmail Backup Script. Click Create. Google generates a 16-character code displayed in a yellow popup. Copy it immediately. The code is shown only once. If you lose it, generate a new one and revoke the old one.
-
In your email client (Outlook, Thunderbird, Apple Mail, iPhone Mail, Samsung Email, or any IMAP-compatible app), paste the 16-character app password where it asks for your Gmail password. Use server settings imap.gmail.com port 993 SSL incoming, smtp.gmail.com port 465 SSL outgoing. Username is your full @gmail.com address. Send yourself a test email to verify everything works.
Common Errors and Fixes
| Error or symptom | Cause and fix |
|---|---|
| App passwords link missing from Security page | 2-Step Verification is not yet enabled on your Google account. Turn 2FA on first. Once active, refresh the security page and the App passwords link appears. New Gmail accounts may take a few seconds to update. |
| Outlook shows "invalid credentials" after pasting | The 16-character app password sometimes copies with trailing spaces. Paste into a plain-text editor first, confirm exactly 16 characters with no spaces or newlines, then paste into Outlook. Also check you typed imap.gmail.com exactly, not gmail.com or mail.gmail.com. |
| Send (SMTP) fails but receive (IMAP) works | SMTP authentication is not enabled in your client. In Outlook: More Settings > Outgoing Server > tick "My outgoing server requires authentication", set to "Use same settings as my incoming mail server". Save and retry. |
| "Less secure app access" suggested by older tutorial | Outdated. Google removed the Less Secure Apps toggle in May 2022. App passwords are now the only way for non-OAuth clients. See our explanation of the deprecation. |
| iPhone Mail keeps failing despite correct app password | iOS Mail uses OAuth automatically when you pick "Google" as the account type. The app password is not asked for. To force IMAP+app-password, pick Settings > Mail > Accounts > Add Account > Other > Add Mail Account, then enter all server settings manually. |
| "Account not found" or "Account has been deleted" | You are typing the wrong username. Username must be your full Gmail address including @gmail.com. Some clients try to be helpful and assume just yourname, which Gmail rejects. Use the full address. |
| App password fails after a few days | Google detected suspicious activity and forced re-verification, which invalidates app passwords. Generate a new app password, paste it into your client, and add the device to your trusted list at myaccount.google.com Security > Recent activity. |
| Random connection drops every few hours | You hit Gmail's ~15 concurrent IMAP connection cap. Each device and client uses 1-5 connections. Disconnect old clients (an old laptop still signed in, your tablet, etc.) and wait 10 minutes for stale connections to time out. |
| "Generate" button greyed out on App passwords page | Google has reached the 25 app passwords per account limit. Revoke any old or unused app passwords first. Each personal Gmail can have up to 25 simultaneous app passwords. |
Setting Up Common Email Clients with Personal Gmail
After you have the 16-character app password, the email client side is fast. Each client has small quirks worth knowing.
| Client | Setup notes |
|---|---|
| Microsoft Outlook 2024 / 365 | File > Add Account > type Gmail address > Advanced options > tick "Let me set up my account manually" > pick IMAP > enter server settings. Paste app password. Untick "Save copies of messages in the Sent Items folder" to avoid duplicates. |
| Microsoft Outlook 2019, 2021 | May try OAuth first (a Google sign-in popup appears). If OAuth completes, no app password needed. If OAuth fails, paste app password instead. |
| Microsoft Outlook 2016 and earlier | No OAuth support. Paste app password. Server imap.gmail.com port 993 SSL. |
| Mozilla Thunderbird 128 ESR or later | Tools > Account Settings > Account Actions > Add Mail Account. Thunderbird auto-detects Gmail and uses OAuth automatically, no app password needed. If OAuth fails (rare on personal Gmail), switch to manual IMAP+app-password. |
| Apple Mail (macOS Catalina+) | System Settings > Internet Accounts > Add Account > Google. OAuth flow opens, sign in normally. App password not needed in this path. |
| iPhone Mail (iOS 13+) | Settings > Mail > Accounts > Add Account > Google > sign in via OAuth. The Gmail mobile app uses Google's own protocol, not IMAP, so no app password is needed there either. |
| Python smtplib script | Use SMTP smtp.gmail.com port 587 with STARTTLS. Auth with full email + 16-character app password. Common pattern for solo developers sending transactional emails from a personal Gmail. Daily send cap is 500 messages on personal Gmail. |
| Backup tools (RecoveryTools, BitRecover, SysTools) | All major Gmail backup tools accept the 16-character app password as a drop-in replacement for the regular Gmail password. No extra setup needed in the tool side. |
Real Use Cases for Personal Gmail App Passwords
App passwords on personal Gmail are most common in three scenarios. Knowing which scenario you are in helps you pick the right client and the right naming convention for the app password.
| Use case | Setup notes |
|---|---|
| Solo freelancer or consultant | You use personal Gmail for client work and want to send/receive in Outlook on a Windows laptop. One app password, paste into Outlook IMAP setup. Daily send limit 500 emails, plenty for typical correspondence. |
| Developer running a side project | Sending notification emails from a Python script or Node app via SMTP. App password named Python Notification Script, used in smtp.gmail.com port 587. Note: Gmail caps at 500 outbound/day on personal accounts. Use SendGrid or Mailgun for higher volumes. |
| Migrating from Gmail to another platform | You want to back up all Gmail history before switching to Outlook, ProtonMail, or Workspace. App password named Backup Tool 2026, used in tools like Email Backup Wizard or Thunderbird-to-Outlook converter for the migration. |
| Multiple Gmail accounts in one client | Adding personal Gmail alongside work Workspace, Yahoo, or Outlook accounts in one Outlook or Thunderbird profile. Each account needs its own app password. Name them per account: Outlook Personal Gmail, Outlook Work Workspace, etc. |
| Old phone or tablet | An older Android device or jailbroken iPhone where the native Gmail app does not work but an old IMAP client does. Generate an app password specifically named for the device so you can revoke it if the device is sold or lost. |
| Smart home or IoT device | Some smart home devices send email alerts via SMTP. They cannot do OAuth. App password named Home Camera Alerts. Use port 587 STARTTLS for outgoing. Revoke immediately if the device is replaced. |
Why OAuth is Better Where It Works
App passwords on personal Gmail are the universal fallback that works with any IMAP client, even ancient ones. But where OAuth is supported (modern Outlook, Thunderbird 115+, Apple Mail Catalina+, native iOS Mail and Android Gmail app), OAuth is the safer path. With OAuth, the email client opens a Google sign-in window, you sign in normally with your password and 2FA, and Google issues a temporary access token to the client. Your password never gets stored in the third-party app, and the token can be revoked from your Google Account at any time. Compare to app passwords, which are static credentials sitting in the client's config file. If you can use OAuth, do. App passwords are for the cases where you cannot, mainly older clients, scripts, embedded devices and backup tools.
đź’ˇ Pro tips for personal Gmail app passwords
- Bookmark myaccount.google.com/apppasswords. The main security page layout changes occasionally and the App passwords link can be hard to find. The direct URL always works.
- Name each app password descriptively at creation. "Outlook Office Laptop", "iPhone 15 Mail Home", "Python Backup Script". Six months from now you will not remember which is which when you need to revoke one.
- One app password per device or app. If your laptop is lost, revoke just that one app password. The others keep working. Reusing a single app password across phone + laptop + script makes recovery painful.
- Use OAuth where you can. Modern Outlook, Thunderbird, Apple Mail and iPhone Mail all support OAuth on personal Gmail. App passwords are the fallback for old or limited software.
- Daily send cap is 500 emails on personal Gmail. Workspace allows 2,000. If you hit the cap with a script, your account is throttled for 24 hours. Move bulk sending to a transactional provider (SendGrid, Mailgun, AWS SES).
- Use port 587 STARTTLS if 465 SSL fails on your network. Some Indian residential ISPs and college Wi-Fi block 465 specifically. Port 587 with STARTTLS is the universal choice.
- Untick "Save Sent Items" in Outlook. Gmail saves sent messages server-side via SMTP submission. Outlook also tries to save them locally, creating duplicates. Settings > Mail > Save messages > untick "Save copies of messages in the Sent Items folder".
- Audit your app passwords every 6 months. Visit myaccount.google.com/apppasswords and revoke any whose device you no longer use. Each unused app password is a credential sitting around for no reason.
- If you also have Workspace, the procedure is similar but admin-gated. See our companion Workspace guide.
Frequently Asked Questions
What is a Gmail app password?
A Gmail app password is a 16-character one-time code generated from your Google Account security settings. You enter it instead of your regular Gmail password when adding the account to a third-party email client (Outlook, Thunderbird, Apple Mail, iPhone Mail, Samsung Email) or any app or script that connects to Gmail using IMAP or SMTP basic auth. The app password lets the client log in without going through Google's 2-Step Verification flow each time.
Where is the App Passwords page?
The fastest path is to go directly to myaccount.google.com/apppasswords in your browser. From the Google Account dashboard you can also click Security in the left sidebar and search for App passwords using the page search bar. The link only appears once 2-Step Verification is enabled. If you do not see the link, enable 2FA first.
Why can I not find the App Passwords option?
Two-Step Verification is not enabled on your Google Account. Google hides the App passwords feature until 2FA is on. Enable 2FA first using SMS, Google Prompt or an authenticator app from Security > 2-Step Verification. Once 2FA is enabled, refresh the security page and the App passwords link appears. The same applies for new Gmail accounts that have not yet completed 2FA setup.
What are the IMAP and SMTP server settings for Gmail?
Incoming IMAP: imap.gmail.com, port 993, SSL/TLS required. Outgoing SMTP: smtp.gmail.com, port 465 with SSL or port 587 with STARTTLS, authentication required, use the same Gmail address and password. Username is always your full email address (yourname@gmail.com). The password field needs your 16-character app password, not your regular Gmail password.
Is the personal Gmail flow different from Google Workspace?
The procedure is essentially identical, but Workspace adds an admin layer. On personal Gmail (@gmail.com), you fully control 2-Step Verification and app password creation yourself. On Google Workspace (custom domain like yourname@yourcompany.com), your administrator can disable 2FA, app passwords or both at the organisation level. If your Workspace App passwords page is empty or missing, talk to your Workspace administrator. Our Workspace-focused guide covers the admin-gated cases in detail.
How do I revoke a Gmail app password?
Visit myaccount.google.com/apppasswords. You see a list of all app passwords you have created, with the names you gave them. Click the trash icon next to the one you want to revoke. The connected device or app immediately stops being able to log in. The other app passwords on your account keep working. This is why naming each app password descriptively at creation time matters: six months later you need to know which one to revoke.