If using clients that don't support 2FA forces the need to have app passwords, is this any more secure that just having a massively strong password without 2FA in the first place? Are app-passwords as susceptible to brute force as complex, random and long passwords anyway?