Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Yahoo won't accept password (msg: Sending of password for user unsucceessful) unless I change my Yahoo accnt settings to allow Apps to use less secure sign-in.

more options

Thunderbird for Mac 45.2.0 Mac OS 10.10.5

When I use Thunderbird to retrieve my Yahoo email .... (POP mail server Server Name pop.mail.yahoo.com Port 995 Connection security SSL/TLS Authentication method Normal password)

I get the following message:

"Sending of password for user .... did not succeed. Mail server pop.mail.yahoo.com responded: (#MBR1212) Incorrect username or password"

However, If I go to my Yahoo account through web-based email and tab to Account Info > Account Security > Allow apps that use less secure sign in and turn this setting on, ....

Then Thunderbird can retrieve my Yahoo email.

According to Yahoo:

"Some non-Yahoo apps and devices use less secure sign-in technology, which could leave your account vulnerable. You can turn off access (which we recommend) or choose to use them despite the risks."

"Yahoo has a variety of ways for you to maintain your account security. Some older email applications deploy an older security protocol to sign into your account. Going forward, to further improve the security of your Yahoo Mail experience, Yahoo may block sign in attempts from these older security protocols."

"We recommend using the Yahoo Mail app for Android and iOS or using https://mail.yahoo.com to access your Yahoo Mail via an up-to-date web browser."

Thunderbird for Mac 45.2.0 is the most up-to-date version, yet according to above information from Yahoo website, it must be deploying an older security protocol that Yahoo blocks when attempting to sign-in.

Is that a correct understanding, or is there something I am missing? Or is there another way of configuring my email account that will work around this problem?

Thunderbird for Mac 45.2.0 Mac OS 10.10.5 When I use Thunderbird to retrieve my Yahoo email .... (POP mail server Server Name pop.mail.yahoo.com Port 995 Connection security SSL/TLS Authentication method Normal password) I get the following message: "Sending of password for user .... did not succeed. Mail server pop.mail.yahoo.com responded: (#MBR1212) Incorrect username or password" However, If I go to my Yahoo account through web-based email and tab to Account Info > Account Security > Allow apps that use less secure sign in and turn this setting on, .... Then Thunderbird can retrieve my Yahoo email. According to Yahoo: "Some non-Yahoo apps and devices use less secure sign-in technology, which could leave your account vulnerable. You can turn off access (which we recommend) or choose to use them despite the risks." "Yahoo has a variety of ways for you to maintain your account security. Some older email applications deploy an older security protocol to sign into your account. Going forward, to further improve the security of your Yahoo Mail experience, Yahoo may block sign in attempts from these older security protocols." "We recommend using the Yahoo Mail app for Android and iOS or using https://mail.yahoo.com to access your Yahoo Mail via an up-to-date web browser." Thunderbird for Mac 45.2.0 is the most up-to-date version, yet according to above information from Yahoo website, it must be deploying an older security protocol that Yahoo blocks when attempting to sign-in. Is that a correct understanding, or is there something I am missing? Or is there another way of configuring my email account that will work around this problem?

Chosen solution

Sounds like yahoo have gone down the same route as gmail. Although the info below is talking about gmail, the same info will apply to what Yahoo are obviously now starting to use.

Is there an option to use OAuth2 for 'Authentication method' in Account Settings > Server settings and also in the Outgoing server (SMTP) setting?

It is likely to be available for IMAP and SMTP, but possibly not POP.


Located some info:

Sounds like Yahoo has swallowed Google's "OAuth2" Kool-Aid. This is a login protocol, that instead of requiring a username and password for authentication, stores a token in a cookie on your system and uses that instead. This supports logging in to third party sites like Facebook without having to send your password.

Using OAuth2 for "secure authentication" will popup a window for your password using your systems default browser. It requires cookies to be enabled for google.com. It creates a token that will be used as if it was a stored password, by the password wizard. You can use a normal password instead for "secure authentication". However, unless you log into https://www.google.com/settings/security/lesssecureapps using a browser and select Allow to let less secure apps access your Google account Gmail may return an error when you try to login if you haven't had the Gmail account for at least 90 days. Using a password is just as secure as OAuth2, except for the possibility for somebody to use Tools -> Options -> Security -> Passwords -> Saved Passwords to view your saved password. This is really just an attempt to increase use of OAuth2, which supports their business plan by supporting logging into third party web sites such as Facebook or Twitter without exposing the users password.

If you are viewing emails only via your computer then it is just as secure.

good comment here explaining: http://security.stackexchange.com/questions/66025/what-are-the-dangers-of-allowing-less-secure-apps-to-access-my-google-account

Read this answer in context 👍 15

All Replies (4)

more options

Chosen Solution

Sounds like yahoo have gone down the same route as gmail. Although the info below is talking about gmail, the same info will apply to what Yahoo are obviously now starting to use.

Is there an option to use OAuth2 for 'Authentication method' in Account Settings > Server settings and also in the Outgoing server (SMTP) setting?

It is likely to be available for IMAP and SMTP, but possibly not POP.


Located some info:

Sounds like Yahoo has swallowed Google's "OAuth2" Kool-Aid. This is a login protocol, that instead of requiring a username and password for authentication, stores a token in a cookie on your system and uses that instead. This supports logging in to third party sites like Facebook without having to send your password.

Using OAuth2 for "secure authentication" will popup a window for your password using your systems default browser. It requires cookies to be enabled for google.com. It creates a token that will be used as if it was a stored password, by the password wizard. You can use a normal password instead for "secure authentication". However, unless you log into https://www.google.com/settings/security/lesssecureapps using a browser and select Allow to let less secure apps access your Google account Gmail may return an error when you try to login if you haven't had the Gmail account for at least 90 days. Using a password is just as secure as OAuth2, except for the possibility for somebody to use Tools -> Options -> Security -> Passwords -> Saved Passwords to view your saved password. This is really just an attempt to increase use of OAuth2, which supports their business plan by supporting logging into third party web sites such as Facebook or Twitter without exposing the users password.

If you are viewing emails only via your computer then it is just as secure.

good comment here explaining: http://security.stackexchange.com/questions/66025/what-are-the-dangers-of-allowing-less-secure-apps-to-access-my-google-account

more options

I too have this problem (using imap on Yahoo). I tried turning on OAuth2 but then TB tells me "the imap server imap.mail.yahoo.com does not support the selected authentication method". Perhaps there's another yahoo server to use?

more options

bcraigie The standard yahoo setting for imap: Type: IMAP

  • Incoming Server Name: imap.mail.yahoo.com
  • User Name: full email address
  • Port: 993
  • Secure connection: SSL/TLS
  • Authentication Method: normal password

If you have logged onto webmail account and enabled 'two step authentication' because you use other devices eg: phone, to access your mail on server, then you will need to generate an application specific password. See info:

If you do not use other devices then make sure 'two step authentication' is switched off.

In webmail Yahoo account tab to Account Info > Account Security select: 'Allow apps that use less secure sign in' . This should allow you access using your webmail password.

more options

@Toad-Hall thank you. However, two step authentication is not turned on, (and thus the option to create app passwords is not available).

Turning on the "Allow apps that use less secure sign in" does fix the problem, but TB45 is not really a less secure app.

It does appear that Yahoo Mail are trying to encourage us to use their webmail because they do not appear to allow us to use OAuth2 which would solve the problem and allow us to turn off the less secure sign in option.

-)