Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-11774

Application specific passwords or tokens (BB-14202)

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      When Bitbucket and Atlassian release two-step verification (two-factor authentication), some applications that rely on basic authentication may no longer work as expected. While Bitbucket recommends that third-party application developers switch to using OAuth, there are still many applications where https may be the only option.

      Application specific passwords would allow users to create a password that would allow them to use Git, Mercurial, and the API over https as needed.

        1. 2850987722-Screen%20Shot%202016-05-30%20at%2012.49.13.png
          2850987722-Screen%20Shot%202016-05-30%20at%2012.49.13.png
          98 kB

            [BCLOUD-11774] Application specific passwords or tokens (BB-14202)

            Mitesh Sura added a comment -

            Sourcetree does not support 2FA , we have to use App passwords as a work around which is not ideal. 

            Mitesh Sura added a comment - Sourcetree does not support 2FA , we have to use App passwords as a work around which is not ideal. 

            punkstar added a comment -

            Attachment 2850987722-Screen%20Shot%202016-05-30%20at%2012.49.13.png has been added with description: Originally embedded in Bitbucket issue #11774 in site/master

            punkstar added a comment - Attachment 2850987722-Screen%20Shot%202016-05-30%20at%2012.49.13.png has been added with description: Originally embedded in Bitbucket issue #11774 in site/master

            Aneita added a comment -

            Removing component: Usability (automated comment)

            Aneita added a comment - Removing component: Usability (automated comment)

            @Dan added a comment -

            App passwords have the following benefits:

            1. Isolation – you can have one password per integration / application and manage leaks better.
            2. Scoping – the app password creation screen allows you to set which permissions the app password should receive so you're not giving away all the keys at once.
            3. Limited functionality – even with all scopes present, you cannot log into the web UI with an app password. You also cannot create additional app passwords, SSH keys or OAuth tokens with an app password. This makes it harder for someone to use an app password to create a second back door in your account.

            @Dan added a comment - App passwords have the following benefits: Isolation – you can have one password per integration / application and manage leaks better. Scoping – the app password creation screen allows you to set which permissions the app password should receive so you're not giving away all the keys at once. Limited functionality – even with all scopes present, you cannot log into the web UI with an app password. You also cannot create additional app passwords, SSH keys or OAuth tokens with an app password. This makes it harder for someone to use an app password to create a second back door in your account.

            RichardS added a comment -

            That and they can be revoked without you having to change your account password. And if used properly (I.e. one password per application) you should easily be able to spot which one leaked which may well give you a hint as to what might have gone wrong (What computer, network etc is compromised).

            RichardS added a comment - That and they can be revoked without you having to change your account password. And if used properly (I.e. one password per application) you should easily be able to spot which one leaked which may well give you a hint as to what might have gone wrong (What computer, network etc is compromised).

            Jaffa added a comment -

            App passwords are useful as not all software supports 2FA login, in software that doesn't support it you just simply can't use it without disabling 2FA account-wide without this feature.

            Jaffa added a comment - App passwords are useful as not all software supports 2FA login, in software that doesn't support it you just simply can't use it without disabling 2FA account-wide without this feature.

            greateagle added a comment -

            I'm a little confused about why an app password is any more secure than passing the user/pass as basic auth.

            A packet-sniffer could still easily walk away with your app password, and use it for bespoke api calls (within the permissions scope of that password of course).

            So, am I missing something? What exactly is the advantage?

            greateagle added a comment - I'm a little confused about why an app password is any more secure than passing the user/pass as basic auth. A packet-sniffer could still easily walk away with your app password, and use it for bespoke api calls (within the permissions scope of that password of course). So, am I missing something? What exactly is the advantage?

            Benjamin Echols (Inactive) added a comment -

            @waltherg Bitbeaker uses OAuth, so you should use your regular Bitbucket account credentials to log in to it. App passwords can only be used for HTTPS API calls.

            Benjamin Echols (Inactive) added a comment - @waltherg Bitbeaker uses OAuth, so you should use your regular Bitbucket account credentials to log in to it. App passwords can only be used for HTTPS API calls.

            Andrew S (Inactive) added a comment -

            Hi Ben,

            Congrats on the public release of app passwords!

            In the blog post, you might want to change the words "to just do that" to
            "to do just that", otherwise it sounds like it's limiting what you can do.

            Cheers,

            Andrew

            Andrew S (Inactive) added a comment - Hi Ben, Congrats on the public release of app passwords! In the blog post, you might want to change the words "to just do that" to "to do just that", otherwise it sounds like it's limiting what you can do. Cheers, Andrew

            Benjamin Echols (Inactive) added a comment -

            App passwords are now available for all Bitbucket users! Check out the blog post for more info: https://blog.bitbucket.org/2016/06/06/app-passwords-bitbucket-cloud/

            Benjamin Echols (Inactive) added a comment - App passwords are now available for all Bitbucket users! Check out the blog post for more info: https://blog.bitbucket.org/2016/06/06/app-passwords-bitbucket-cloud/

              Unassigned Unassigned
              mbertrand aMarcus (Inactive)
              Votes:
              41 Vote for this issue
              Watchers:
              54 Start watching this issue

                Created:
                Updated:
                Resolved: