Password Authentication method

You need to re-enter the password

Really appreciate the quick response – thanks a lot!

That makes sense, but just to understand the detail – in this scenario would the user get an email from the plugin notifying them that they need to re-enter the p/w… or would that perhaps be impossible because by definition the plugin wouldn’t have a valid password in place to be able to send that notification over SMTP?

I’m setting the plugin up on behalf of a very non-technical client, so I’m just a little hesitant to use the Password method in case they change the p/w and don’t realise that the plugin config also needs to be updated, causing them to subsequently stop receiving notifications from their enquiry forms etc without them realising it’s broken.

It seems like the OAuth method would be more robust to avoid that risk (I think?), but it’s more complicated to setup and ideally I’d like the client to be able to use the p/w method as it’s very quick and easy, and we can just show them how to use the wizard, without us having to ask for their password ourselves. It just depends on whether they’d be alerted somehow as described above, as we have no way of knowing ourselves at our end, if and when they happen to change their Gmail password.

Hope the question makes sense and thanks again!

Hi,

Same for oauth.

You are correct about the notifications, check the fallback tab inside settings

Ah yep big thanks again, I hadn’t spotted those fallback settings and they’re really handy!

Sorry to ask another question but while I’ve been attempting to figure it for this client’s site today using the Password method, I’ve hit a security issue:

5.7.8 Username and Password not accepted. Learn more at
5.7.8 https://support.google.com/mail/?p=BadCredentials f23sm2809662wmf.1 – gsmtp

The password I’m entering is correct (as I’m able to sign into other Google services with it successfully) – but it generated a separate ‘Critical security alert’ to be sent from Google to the client, saying that a sign-in was attempted from a less secure app.

Do you know whether the “Allow less secure apps to access your account” setting (mentioned int he above troubleshooting page) always needs to be switched on in the client’s Google account in order for the plugin to work, using the Password method (i.e. Post SMTP is regarded by Google as a less secure app)?

@erjjio If you use the ‘old’ method of username and passwords to access a Google mail account, then you do indeed need to have the “enable less secure apps” access to your account” setting enabled.
It’s the same if you set up say a mail client like Thunderbird to access your Gmail account using username and passwords.

Google applies the label of “less secure app” to ALL apps that use a password/username to access the account, rather than the more secure method.

A better method is rather than use the actual password for that account, create a unique password just to be used by that app.
Read more here: https://support.google.com/accounts/answer/185833

Using this method you would create a password for Thunderbird, a password for SMTP (i.e. for any less secure app).This lets you keep your main Google Email password secret from the other 3rd party apps.
It does mean that you need to switch on 2FA on your Google Account, but that should be done anyway in this day and age (IMHO).

A shortcut to App passwords once you’ve switched on 2FA is: https://myaccount.google.com/apppasswords

Regards

Chris

• This reply was modified 5 years, 6 months ago by shinerweb. Reason: added more detail to reason for using App Passwords

@shinerweb Hi Chris and thanks very much for the further feedback, much appreciated.

I concluded that it’s best to go for the recommended OAuth method and I’ve now set this up for the client successfully.

I think having to switch on 2FA would probably be a bit of nuisance for clients, as they probably wouldn’t want to have to go through a 2 step process every time they login to their email – even though OAuth is a bit more involved to set up, the end result is the most convenient for the client so that’s my preference overall.

Thanks again for the help.

Ben