Application Passwords are passwords to be used by automated processes like programs, service, other websites, scripts etc. They are not intended for and cannot be used by users to interactively login to your WordPress website. Application passwords can be used (as an alternative to the regular user password) to authenticate against the REST API or the legacy XML-RPC API. This can be useful for the following reasons:
- Preventing mandatory updates to scripts / services when the users changes their password. (the application password does not change when the user changes his/her password)
- Having the ability to easily grant and revoke access to specific applications
- Enabling mandatory two factor authentication or ReCaptcha on users accounts (Additional steps in the authentication process are incompatible with the REST API & XML-RPC API authentication)
Users can generate Application Passwords via their Profile page (Users -> Profile), via the WordPress Backend. By default, all user roles are able to create application passwords linked to their user account.
For sites that don’t utilize Application Passwords, Really Simple SSL offers the possibility to prevent the usage and further generation of Application Passwords. If you allow application passwords, be aware that changing a users standard password is not enough the disable their access to their account, they would still be able to access the REST API & XML-RPC API with their application passwords. (You would need to revoke those too).