Yes, but if you want to reuse them, do so with caution. The reason for an app-specific password is so that if one gets leaked (buggy/malicious software or server), the attacker can’t use it on your other accounts, and so you can revoke/change it without breaking other apps.
I see no problem reusing an ASP across multiple installations of a single app, but I would think long and hard before reusing it for apps from different vendors.
Yes It is reusing passwords which is a big no-no. Like all security measures it is a balance between security and inconvenience. I have only ever had three apps using same ASP and two were from same company (BusyMac) and I judged that the risk was acceptable to me. If I had had many more I might have decided different. In fact since then I have stopped using one of the apps and now that the ASP has been revoked I am only using the same ASP across the two BusyMac apps.
I use BusyCal on multiple devices. After setting a new app specific password for my main iMac running Ventura, I was unable to use the same password on my old iMac running High Sierra, forcing me to create a new one.
Perhaps a little insight into the password reset issue. My wife’s phone, which uses only a iCloud.com email didn’t have the reset issue. Only my devices, with an Apple email going all the way back to the beginnings of dot Mac.
So what is to stop a malicious person guessing, or discovering, an AppleID email and attempting to log into iCloud with it numerous times so that a lock-out by Apple is triggered? Not to break into account - just to be nasty.
It would seem the only way to avoid this is to use a “secret” email as your Apple ID. Not much help if you already have an Apple ID and want to retain all your iCloud and account data.
I’m not sure if I can sign in using a Mac.com or me.com address. I actually don’t know when I created my account, but maybe it’s like yours after all. I’ve had it for at least 10 years, possibly even since the iTools days.
(I actually don’t use the iCloud.com email address to sign into my account. I use my own, non-Apple email address. The iCloud email is part of my Apple ID and can’t be deleted from it. But fwiw, the iCloud address is listed under the emails addresses in my Apple ID, whereas there are no Mac or me.com addresses there. Dunno if these still exist as hidden aliases.)
Mine is also from iTools days but the email & phone numbers list in my Settings > AppleID > Sign in and Security shows mac.com, me.com and iCloud.com…so not the same as you. However since yours is also old is maybe why it affected you.
And it will be hard to maintain secrecy as your AppleID can appear in a lot of places, not just “sign in with Apple”, but also “Pay with Apple Pay”, iMessage, etc.
It is sounding like either someone ran a dictionary attack on iCloud.com, me.com, etc. or there was a targeted run of leaked emails against Apple IDs timed for a weekend when they hoped it wouldn’t be spotted so quickly.