Difficulties with AT&T settings

Pulling my hair out… I was forced to create a “secure mail key” in order to send email to an existing email account I had added in Thunderbird. (I am going to migrate away from Postbox.)

I need to understand something (the AT&T support rep couldn’t tell me): does this secure mail key replace my original login password? what is their relationship to each other?

Honestly, I don’t understand how a password made up of all lowercase letters with no numbers or special characters could be more secure than the password I was using. So that makes me wonder if it is functioning as an additional password.

The account in question was setup in Thunderbird with my own password, and had already successfully received messages without the secure mail key at the time. This key apparently was necessary to send messages. I had to go to att.com and log in under this account to create it. Then when Thunderbird gave me the alert that the server needed a new password, I pasted the new “secure mail key” string in the dialog and saved it. The message sent successfully.

So: did I replace my earlier password? that password was still required to log into the web browser at att.com to deal with email or account settings there.

Can someone please explain what the relationship is between the secure mail key I created and the password I already had? and is it really secure if it is made up of just lowercase letters?


The account password is for accessing the account on AT&T’s website, and it might also work for accessing the account from mail apps on phones or tablets. But to access through TB or other desktop apps, use the key instead of the account password, for the incoming and outgoing servers. If the account password doesn’t work with mobile mail apps, use the key there as well.

The key might not be any more secure than the password in your case, but it’s probably ‘stronger’ than the password used by most users.

Yes, it works now. But I really hate it when the tech support people cannot explain why they are doing something a certain way. And why, for example, does my original password remain necessary to access my account settings (through att.com) and is not (seemingly) necessary for sending and receiving mail?

Can they be direct in the English language and tell me straight what the relationship between the password and the mail key is, or is that too much to ask?

The secure key is created after you log onto the AT&T site with your account password, so that is one connection between the two. I can’t say why they think a key is better than the password for desktop mail apps, but it’s consistent with other providers such as gmail, outlook and Yahoo (which underlies AT&T and AOL mail) requiring additional authentication such as OAuth, app passwords, multi-factor authentication etc.