Unable to find Less Secure Apps setting

Question

We used our Gmail credentials in Nodemailer to send test emails in development. We tried sending one today with the same configuration as yesterday and received the following error:

2020-05-04T10:17:35.547Z Error: Invalid login: 535-5.7.8 Username and Password not accepted. Learn more at
04/05/2020 12:17:35 535 5.7.8 https://support.google.com/mail/?p=BadCredentials s18sm19281474wra.94 - gsmtp
04/05/2020 12:17:35 at SMTPConnection._formatError (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:784:19)
04/05/2020 12:17:35 at SMTPConnection._actionAUTHComplete (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:1523:34)
04/05/2020 12:17:35 at SMTPConnection.<anonymous> (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:550:26)
04/05/2020 12:17:35 at SMTPConnection._processResponse (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:942:20)
04/05/2020 12:17:35 at SMTPConnection._onData (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:749:14)
04/05/2020 12:17:35 at TLSSocket.SMTPConnection._onSocketData (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:195:44)
04/05/2020 12:17:35 at TLSSocket.emit (events.js:310:20)
04/05/2020 12:17:35 at addChunk (_stream_readable.js:286:12)
04/05/2020 12:17:35 at readableAddChunk (_stream_readable.js:268:9)
04/05/2020 12:17:35 at TLSSocket.Readable.push (_stream_readable.js:209:10)
04/05/2020 12:17:35 2020-05-04T10:17:34.439Z RES e77bea28-7092-4ec5-81b7-8230bd068e5a POST /projects/111/items 201 1117
04/05/2020 12:17:35 2020-05-04T10:17:35.588Z Error: Invalid login: 535-5.7.8 Username and Password not accepted. Learn more at
04/05/2020 12:17:35 535 5.7.8 https://support.google.com/mail/?p=BadCredentials p7sm18057972wrf.31 - gsmtp
04/05/2020 12:17:35 at SMTPConnection._formatError (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:784:19)
04/05/2020 12:17:35 at SMTPConnection._actionAUTHComplete (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:1523:34)
04/05/2020 12:17:35 at SMTPConnection.<anonymous> (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:550:26)
04/05/2020 12:17:35 at SMTPConnection._processResponse (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:942:20)
04/05/2020 12:17:35 at SMTPConnection._onData (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:749:14)
04/05/2020 12:17:35 at TLSSocket.SMTPConnection._onSocketData (/home/node/backend/node_modules/nodemailer/lib/smtp-connection/index.js:195:44)
04/05/2020 12:17:35 at TLSSocket.emit (events.js:310:20)
04/05/2020 12:17:35 at addChunk (_stream_readable.js:286:12)

I did some research and discovered that I was supposed to turn on "Less secure apps" but I can't find the settings.

When I visit https://myaccount.google.com/lesssecureapps, I get "Settings could not be read"

Same issue here, started some time before 10am UTC 4th May – DigitalDan May 04 '20 at 11:15 — DigitalDan, May 04 '20 at 11:15

score 4 · Accepted Answer · answered May 04 '20 at 11:45

4

It was a temporary problem on Google's side. By 11:44 UTC it was back for us. https://twitter.com/gsuite/status/1257266044957319169?s=20

answered May 04 '20 at 11:45

DigitalDan

2,477
2
28
35

score 4 · Answer 2 · answered May 04 '20 at 12:06

We managed to fix it quickly using App Passwords. For anyone using Less Secure Apps login, this is a trivial fix. You just need to set up 2FA (if you don't have it already) and use the generated App Password for logging in from your app, instead of the standard password.

https://support.google.com/accounts/answer/185833

This is easier than migrating to OAuth, often the only option, for anyone in a rush to fix this in production.

score 3 · Answer 3 · answered May 04 '20 at 11:33

If you are a Gsuite admin, you need to migrate it to oAuth. I don't know if google has disabled LSA for temporary period or permanent.

https://gsuiteupdates.googleblog.com/2019/12/less-secure-apps-oauth-google-username-password-incorrect.html

LSA is back in security settings, guess it was down for sometime.

score 0 · Answer 4 · answered Jul 16 '22 at 15:24

Updated anwser for Post May 30, 2022. The less secure apps setting has been removed by google. It no longer exists.

Less secure apps & your Google Account

To help keep your account secure, from May 30, 2022, Google no longer supports the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.

Important: This deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date.

Work around

if you were using the less secure apps setting to connect to googles smtp server. You can create an apps password on your account and use the apps password in place of the users actual google password.

2fa must be enabled on the account in order to create an apps password

You can also use Xoauth2 in most cases and use an access token.

Unable to find Less Secure Apps setting

4 Answers4

Work around