oh. so its nothing like i thought it was. well, in that case, screw 2 step.
Even though the app-specific passwords aren't as secure as they could be, they aren't bad. They are robust against dictionary attacks and offer about 72 bits of entropy, which is perfectly adequate for an account login.
Network speed and login-throttling will ensure that the password can't be brute-forced.
Super-complex passwords are only needed if you are protecting encrypted data (where the encryption can be brute forced
in situ by high-performance hardware), or if you are reusing passwords and need to protect a password against an application provider having their database compromised and cracked (e.g. via rainbow tables, etc.)
Normally, you would only be using app-specific passwords on trusted personal devices (e.g. a home PC, or a personal smartphone/tablet). These should always be set up to communicate over an SSL connection, so are robust against eavesdropping (even on insecure wifi networks), and most software will select an SSL connection as default.
2 factor is still useful when you need to use untrusted devices or untrusted networks and also protects you against silly blunders (e.g. typing your password into the wrong box and/or allowing shoulder surfign). E.g. you're on vacation in some foreign country with flaky GPRS (nevermind EDGE or 3G) connectivity and you're being bent-over by roaming data charges, but need to send some urgent emails and need to stop at a seedy internet cafe. There, 2-factor is ideal, as even if your master password is compromised, without additional authentication, it is useless.