Mr. Root's reply is misleading and incomplete, I believe. The age of your OS (like mine) means that 2-factor authentication is not available to us. Instead, 2-step authentication is required. (In spite of the similarity of names, 2-factor authorization is not the same thing as 2-step authorization.) Apparently, older Apple-supplied software is treated the same as third-party software, though none of Apple's documentation that I have found makes that clear.
Furthermore, it appears that email accounts provided by Apple (@mac.com, @me.com, @icloud.com, and maybe others) are implicitly connected to the owner's AppleID, but are not now allowed to utilize the associated password. Instead, they must use one of the new so-called app-specific passwords. I wrote "so-called" because there does not appear to be any way for Apple to associate an "app-specific" password with a specific app. Quite possibly, two or more third-party (or old Apple) apps could use the same "app-specific" password to access a single Apple-provided email account (for example), though that might not be wise. A better methodology might be to use different app-specific passwords on a home desktop machine and a traveling laptop/tablet/smartphone to access the same email account. Then if the traveling machine is stolen (as happened to me), simply deleting its app-specific password from the AppleID account would be sufficient to prevent compromise of that account.
I would like to see Apple's online documentation revised to confirm or correct this guesswork, so that customers will be able to get a better understanding of what these new password & authentication procedures are all about.