[Spivak]

I don't think depreciating the use of "Give your Google account password to $app" or "Give $app a fixed never expiring key that's as good as your password" unless you explicitly enable it is particularly user hostile.

If you used the Gmail API https://developers.google.com/gmail/api and client that supports OAuth instead of SMTP with username/password you wouldn't really run into this problem.

Yeah it kind of sucks for hobbyists because it's not as simple as sending an SMTP email but that's more to do with the lack of good tooling than something fundamental.