Although I wonder if its necessary if you use an app password. What is the worst a bad-actor can do with the app password?