And this has to be done each time you change your passwords...
No, your password that you access the member center and mail.roger.com can be changed and it will not affect your app passwords.
So if I logon to webmail with email@example.com and XXXXXXXXX, I can change XXXXXXXXX to a different password and it will not affect my apps.
If you want a new app password for some reason, you can trash your old one and generate a new one, but there is no need to unless you delete an app or email profile and need to recreate it.
Now I'm really confused. Please straighten me out! This is my understanding.
For web mail etc there are in effect two passwords, an "app" password for the device / account that authorises mail on that device for that account. The user still enters the account password. The app authorisation, once established is hidden / automatic. Account password can be changed without affecting app password and vice versa.
For Outlook etc, that do not support two passwords, one continues with single password. But instead of user defined memorable password (e.g. baLrog&76 not saved on computer we move to system generated unmemorisable password that must either be written down and typed in each time or saved in Outlook, neither of which is recommended. The user password has become the app password. So to change the (user) password one must change the app,password.
Out of curiosity, aside from this Rogers / Yahoo mess, is MS planning any changes to the password regimen for Outlook? If not why not (e.g. Weaknesses in OAuth?), and if they are then of course this process becomes simpler, i.e. the app password wI'll be hidden just like in web mail.
Now I'm really confused. Please straighten me out! This is my understanding.
For web mail etc there are in effect two passwords, an "app" password for the device / account that authorises mail on that device. The user still enters the account password. The app authorisation, once established is hidden / automatic. Account password can be changed without affecting app password and vice versa.
Web mail is "mail.rogers.com" and uses only one password. Same password is used for "rogersmembercentre.com".
Hope that clears it up.
Actually my url seems to be
So web mail does not have any device authorisation? I thought the point was that it did, but its all hidden from the user.
Same for (recent) iOS etc.
My question was really about Outlook, and how that works, and how one changes the "user password" in Outlook.
Is my understanding that in Outlook the user (mail account) password will now be the app password? Etc etc.
There was a suggestion on there that I will try out ... to in fact save the new passwrod in Outlook but to fake a user mail account password by putting windows password protection on the pst files, whic will trigger Outlok to prompt for password when the user signs in.
When I tried to create the APP Password for Windows Live Mail, I went through all of the steps, and then I could not access my Rogers email on Live Mail.
In the instructions, it says:
I think I may have selected Done before I went back to my Live Mail and changed the settings. Could this be the reason it didn't work? I don't understand why that would make a difference.
Clarifications to a few questions, that I did my own testing with.
1. You stated you clicked done before setting up the password on the windows Mail app. I just tested this scenario and I set up my Windows Mail on Windows 10 and used the password that I used in Pegasus, Thunderbird, and Mail, and that same created password on the Rogers member page worked in all three.
I did try the last one by clicking done first, and it still worked, so I suspect it was something else in the settings in error. Although I did have it happen once, not sure why, I just deleted another one and redid the process, but my guess at this point is that you have to do the cut and paste process, then click done when your client is set up.
Could others report on their experience of clicking done or not and other times where it may have failed to accept the passcode.
Interesting note - this process claimes to be using a one time use password (or so they claim in Yahoo), but it worked on all three of my old clients using old non automatic Yahoo settings. I did this in both Rogers and Yahoo using the same passkey created via yahoo for a yahoo account and via Rogers member page for rogers account and it worked across all apps - so it doesn't appear to be one time as long as you still have it available to you written down, copied and emailed to paste on other apps or computers or devices.
Although, what I am not sure about is the clicking of done. That may then restrict to only the software you set it up before you clicked done, locking it out from future use on new ones. I have not tested that. I left it open and setup three software and it all worked on the same key. This occurs on both Yahoo based or Rogers based emails.
As for putting multiple accounts on the same email app, you would have to set up the first account with the passkey by logging into the member centre for that email.
When done, create a second account, create another passkey and enter it for the next email on your software client, and continue one by one for each secondary email you use. The prinicple for this is that each secondary account theoretically is for different people possibly, and it provides them their ability to control access to their email and password, not the account holder. It has always been that way.
As for OAuth - I can't say if this is version 2 or earlier, but I certainly hope that is the later for security reasons. The way the process works on the older versions is the same now, it is just a higher level of protocol security with version 2. And when setting up clients use normal authentication choice, or automatic (if available), not OAuth2.
It doesn't appear that OAuth is being used with the older software, it is just a randomized password created and recognized by the servers, and supposedly one time only. It is important to lock your device to keep access to your email and other apps secure.
So in summary, Rogers has provided a simplified interface for security and password creation for third party email clients, removed access to 2 stage authorization, the ability to turn off the passkey feature, or to accept non secure clients (which seems to still be active at this point with Rogers).
Once they get it nailed down, it appears that it will be fairly user friendly, secure, with limited options, but certainly has been poorly communicated, and when you include the concern we all have for anything Yahoo security related, it creates lack of trust and miscommunication.
Hope this dialogue is providing some clarity. At the end of the day, the instructions provided tell us what we need to do,
Don't currently speak to how to deal with multiple email on one account, there seems to be some issues with timing of the button done and whether the passkeys are truly unique or can be used across multiple devices.
To be safe, I would create one for each device. It also doesn't comment clearly that the delete function allows you to take that passkey out of service for a stolen or compromised device or software, or to decide to change them occassionally.
Again, hope this is helping. I haven't yet reached a point where I could summarize this easily into the existing guidelines, but I think the original writes could review these with the people at Rogers and make the clarifications and modifications, and please let's get a drop dead date.
If you don't meet it, then just extend it.
You can reuse an App password associated to an email address on any number of email clients. I created one and reused on at least two different computers. Yeah, if one of those computers gets compromised, I could delete that one App password and now I would have to regenerate passwords to fix both of those computers.
I use a password manager so a long password string is no big deal. I guess now you don't really need to track these App passwords - if you need to add an email client, just create a new App password for it.