Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

yahoo password did not succeed (Yahoo thinks Thunderbird is "less secure")

more options

Yahoo mail is blocking access to my account from Thunderbird because it apparently considers Thunderbird a "less secure app".

I just set up Thunderbird for first time, using my Yahoo account, but was never able to connect. Kept getting error "Sending of password ... did not succeed. Mail server pop.mail.yahoo.com responded: Server error. Please try again later."

Then I see an email from Yahoo saying they blocked it:

"Your account is currently not enabled to sign in from apps that do not meet modern security standards (ex. Older versions of mail and calendar apps such as Outlook). As a result, we prevented a sign in to your Yahoo account... ... We strongly recommend that you switch to Yahoo's apps ... and remove your account from all other less secure apps."

It's true, I did set the Yahoo mail option to not allow "apps that use less secure sign in", I suppose I can change it if I really have to - but would prefer if Thunderbird could be set to use more secure login settings - is that possible? I had used the default security settings: Connection security= SSL/TLS, Authentication=Normal Password.

Any suggestions?

Yahoo mail is blocking access to my account from Thunderbird because it apparently considers Thunderbird a "less secure app". I just set up Thunderbird for first time, using my Yahoo account, but was never able to connect. Kept getting error "Sending of password ... did not succeed. Mail server pop.mail.yahoo.com responded: Server error. Please try again later." Then I see an email from Yahoo saying they blocked it: "Your account is currently not enabled to sign in from apps that do not meet modern security standards (ex. Older versions of mail and calendar apps such as Outlook). As a result, we prevented a sign in to your Yahoo account... ... We strongly recommend that you switch to Yahoo's apps ... and remove your account from all other less secure apps." It's true, I did set the Yahoo mail option to not allow "apps that use less secure sign in", I suppose I can change it if I really have to - but would prefer if Thunderbird could be set to use more secure login settings - is that possible? I had used the default security settings: Connection security= SSL/TLS, Authentication=Normal Password. Any suggestions?

Chosen solution

Thunderbird CAN NOT use the oAuth2.0 authentication until Yahoo ar prepared to issue tokens for mail applications to use. So really we have tried. Yahoo do not appear interested, so I suggest you enable less secure apps or move to Google where oAuth2.0 has been working since Thunderbird 38 because they actually issue the application tokens.

Read this answer in context 👍 0

All Replies (4)

more options

Chosen Solution

Thunderbird CAN NOT use the oAuth2.0 authentication until Yahoo ar prepared to issue tokens for mail applications to use. So really we have tried. Yahoo do not appear interested, so I suggest you enable less secure apps or move to Google where oAuth2.0 has been working since Thunderbird 38 because they actually issue the application tokens.

more options

Matt said

Thunderbird CAN NOT use the oAuth2.0 authentication until Yahoo ar prepared to issue tokens for mail applications to use. So really we have tried. ...

Oh, so THAT's what they mean ... Okay, thanks Matt.

p.s. Can you suggest any others besides Google who use oAuth2.0? (preferably a good paid service rather than "free")

more options

cookiePJones said

Matt said
Thunderbird CAN NOT use the oAuth2.0 authentication until Yahoo ar prepared to issue tokens for mail applications to use. So really we have tried. ...

Oh, so THAT's what they mean ... Okay, thanks Matt.

p.s. Can you suggest any others besides Google who use oAuth2.0? (preferably a good paid service rather than "free")

I can not offer you anything with regard to paid providers other than they exist. Not because of any policy, simply because I do not know.

oAuth2.0 is not really a mail protocol, it is a web browser protocol. One of the reasons so few email programs support it, is that they have to act essentially as a web browser while the authorization dialogs are displayed. Personally I find that somewhat frightening. It is Ok for Thunderbird, we have the Firefox browser components to draw on, but the security implication of having email people start writing web browsers is truly worrying.

Basically oAuth is technically more secure, but it is also persistent, as someone noticed recently, the authorization persists after you delete the password from Thunderbird. So it is a horses for courses thing. Personally I think a user name and password is about as good, as long as the password falls into the passphrase category. http://www.useapassphrase.com/

But the best protection is a provider that locks your account after a number of incorrect attempts. All the information you will see talks about how long passwords take to crack, but this is based on computers throwing millions of guesses and trying again until they get it right. If you account is locked out after 3 or 4 bad attempts then it will take forever to guess your password another attempt can not be made until you go through the steps to again resume use of our account.

In the end, nothing preserves your data on a server except encryption of that data, so regardless of the connection method used, your data is not secure if the provider is hacked. Which is how Yahoo managed to loose something like a billion user names and passwords.

more options

Really good point.