The problem doesn't seem to be the ASP itself, but the failed (OAuth-like?) implementation.
"- OAuth tokens are created automatically, while ASPs are a thoroughly manual affair"
"- OAuth tokens use a flexible authorization model, and can be restricted to accessing only certain data or services in your account. By contrast, ASPs are — in terms of enforcement — not actually application-specific at all!"
Well, there's your problem. Application Specific Password isn't very specific at all.
"- OAuth tokens are created automatically, while ASPs are a thoroughly manual affair"
"- OAuth tokens use a flexible authorization model, and can be restricted to accessing only certain data or services in your account. By contrast, ASPs are — in terms of enforcement — not actually application-specific at all!"
Well, there's your problem. Application Specific Password isn't very specific at all.