Think your Gmail account is secure? Think again. If it’s been a while since you changed your Gmail password (or logged out of your account), some spring cleaning may be in order.
Here’s why: In late 2023, threat actors found a way to regenerate expired browser session cookies and maintain persistent access to compromised accounts. While Google has rolled out a prototype Chrome feature called Device Bound Session Credentials (DBSC) -- which prevents hackers from stealing session cookies and hijacking login sessions – it isn’t yet an open web standard.
If you suspect your account has been compromised, signing out of all browsers and resetting your password is a critical first step to take. Below, we share how to quickly change your Gmail password when time is of the essence.
Step-by-Step Guide to Changing Your Gmail Password
Accessing your Gmail account settings
Many people stay signed in to their Gmail accounts for convenience.
In the US alone, we spend five hours a day checking emails – that's 209 minutes (3+ hours/day) checking work emails and 143 minutes (2+ hours) checking personal emails.
However, this habit of staying logged in increases your risk of session hijacking exploits, OAuth-based phishing, and account takeovers (if you stay logged in across devices).
So, what does signing out of all browsers do? It basically revokes your current session and stops continued, unauthorized access to your data.
First, you’ll want to head to “Settings” in your Gmail account.
To access your Gmail settings:
On a computer
- Type in the URL “gmail.com” into your browser’s address bar and sign in to Gmail.
- Click on the gear icon at the top right corner of the page and select “See all settings” from the drop-down menu.
- You’ll see selections at the top you can choose, such as “General,” “Labels,” “Inbox,” and “Accounts and Import.”
On an iPhone or iPad
- Open the Gmail app.
- Access the menu by tapping on the three horizontal lines in the top left corner.
- Scroll down and click “Settings” with the gear icon.
- Open the Gmail app.
- Access the menu by tapping on the three horizontal lines in the top left corner.
- Select “General settings” or tap your account to change settings.
Locating the password change option
To change your password on your desktop, click on “Accounts and Import” in “Settings.”
Under “Change account settings,” click “Change password.”
This will take you to a new screen, where you’ll type in your new password twice before clicking the “Change password” button.
You can also click on your profile picture and then “Manage your Google Account.” On the next screen, click on “Security” in the left-hand menu and then scroll down to the section “How you sign into Google.” Finally, click on “Password” to make your changes.
Creating a strong and unique password
What makes a strong password?
According to NIST, it should be length. Ideally, your password should be between 12-16 characters.
NIST also supports the use of passphrases, ASCII characters, and Unicode, which allows users to leverage their native languages or cultural symbols to create memorable, secure passwords. The use of non-Latin scripts, emojis, and accented characters makes passwords more resistant to credential-based attacks.
Need a little help? Use a password generator to make the password creation process easier and faster.
How to Reset a Gmail Password you Forgot
Visit Gmail recovery page
So, you need to change your Gmail password – but you’ve forgotten your current one.
No problem: Head to the Google Recovery page and enter your email address to begin the process.
Then, click “Next.”
You’ll be asked to use biometrics or another method like passkeys to verify your identity. If you haven’t set these up, click on “Try another way.”
In the next screen, you’ll be asked to type in your current password. Don’t remember it? Click on “Try another way.”
If you provided a phone number or recovery email in the “Security” settings, choose one of them to get a verification code. You’ll use the code to gain access to your account and create a new password.
Find Forgot Your Password
Another method to access your account if you forgot your Gmail password is to follow the normal steps you’d take to sign in to your account.
After entering your email address in the login page, click on the blue “Forgot password?” link. If you’ve set up a phone number or secondary email, you’ll choose one of them to receive a verification code. This code allows you to access your account and create a new (stronger) password.
Why Change Your Gmail Password?
Regular password updates not advised: What to do instead
Based on NIST’s latest recommendations, the traditional advice for regular password changes has evolved. Here are the main takeaways:
- Password changes should only be enforced after a known security incident or breach.
- The current focus is strong passwords based on length, rather than frequent resets.
- Security questions (knowledge-based authentication) should be avoided altogether, as they’re often accompanied by answers that are easily guessed or discovered by attackers through social engineering efforts. Security questions can also be a double-edged sword: users often forget the answers, which leads to account lockouts and frustration.
- MFA (multi-factor authentication) is now strongly recommended by NIST, along with the use of password managers.
- Passwords should be regularly monitored and compared against a “blocklist that contains known commonly used, expected, or compromised passwords.”
Protecting your personal information
Is Aunt Sally getting married and sharing her super-secret guest list with only a small circle of trusted confidants?
If she has Gmail, she can send messages in confidential mode to you or anyone else in the bridal party. With this mode enabled, recipients won’t be able to copy, forward, download, or print emails.
Here's how it’s done:
- First, have Aunt Sally sign in to Gmail and then click on “Compose.”
- At the bottom of the email box, tell Aunt Sally to look for a lock icon, which should read “Toggle confidential mode” when she hovers over it.
- A separate box will pop up, which allows her to set an expiration date for the email.
- Next, she’ll choose either “No SMS passcode” or “SMS passcode.”
- If Aunt Sally chooses "No SMS passcode," recipients using the Gmail app will be able to read her emails directly. Recipients who don't use Gmail will be emailed a passcode.
- If Aunt Sally chooses "SMS passcode," recipients will be sent a passcode by text. Be sure she enters your phone number, rather than her own.
- Click “Save.”
But what if Uncle Silas keeps missing tuxedo fittings and pre-wedding family rituals? Plus, he keeps poking fun at them on his Facebook page. Furious Aunt Sally can then open any sent confidential emails and click on “Remove Access.” This will stop Uncle Silas from accessing the contents of the emails, even before their expiration dates.
Preventing unauthorized access to your Gmail account
After revoking session cookies, changing your password prevents the attacker from modifying your current login credentials and locking you out completely.
However, not all attackers choose this approach. They may decide that monitoring you long-term will yield greater benefits. So, it’s important to take appropriate steps to stop this type of unwanted, continuous surveillance:
- Check for account activity by scrolling down to the bottom of the page and clicking “Details” under “Last account activity.” You’ll see login dates and times plus devices and IP addresses used to access your account.
- In “Settings,” click on “Forwarding and POP/IMAP” to check if there are any addresses incoming mail is being forwarded to.
- Use Google’s Security Checkup feature to check for security events, secure your devices, and add extra protections like two-factor verification.
Tips for Keeping Your Gmail Account Secure
Enabling two-factor authentication
Is Gmail safe? According to Google, yes. In February 2024, the tech giant rolled out new bulk sender email delivery requirements. This led to a 65% reduction in unauthenticated emails sent to Gmail users and 265 billion fewer unauthenticated messages sent worldwide.
Google is rightly proud of its AI-enhanced spam filtering capabilities – but hackers have thrown a wrench in the works. In October 2024, they targeted Gmail’s 2.5 billion users with an AI-powered scam so compelling, it made a Microsoft Solutions consultant doubt his own senses.
One way to keep your account secure is by enabling two-factor authentication. Here’s how you can do this while signed into your account:
- Click on your profile (or circular image) in the top right corner of the page and then click on the “Manage your Google Account” button.
- On the left menu, click on “Security.”
- Scroll down and click “2-Step Verification” to begin the process.
- You’ll be prompted to enter your password to verify your identity.
- Next, select how you want to receive your second factor for authentication, such as a Google prompt, codes from the Google Authenticator app, SMS messages or calls from your mobile device, or passkeys.
- After you select your preferred method, you’ll also be given the option of adding backup methods, such as a security key or secondary mobile device number.
- Once you complete all the steps, click “Turn on” to enable 2-step verification.
Regularly reviewing account activity
Regular activity monitoring can uncover logins from mysterious or unfamiliar locations and devices.
To see your Gmail account activity, click on your profile picture or icon at the top right corner of the page. Next, click on “Manage your Google Account” and then “Data and Privacy” in the left menu.
Under “History” settings, click “My Activity.” Here, you can monitor your web activity and YouTube history. You can also enable “Manage my Activity Verification.” This allows Google to verify your identity before you can see or delete your full history on “My Activity.”
This security feature is useful if you’re using Gmail on shared devices.
Avoiding suspicious emails and links
Attackers are increasingly using email as a vehicle for planting keylogging malware on unsuspecting users. For example, the infostealer SnakeKeylogger records every keystroke you make – when you click on infected Office documents or PDFs in an email.
While Google’s AI-based spam filters and new bulk sender requirements are powerful deterrents against phishing emails, vigilance and a multi-layered security approach are essential weapons against dynamic, emerging threats.
But what does this look like?
Let LastPass Remember Your Passwords
Let’s face it: You lead a busy life, juggling emails, meetings, and deadlines. Whether you work from home or in a brick-and-mortar building, you have a long list of household chores waiting for you at day’s end.
The last thing you need is keyloggers and infostealers lurking in email attachments, just waiting for you to click and launch them. At LastPass, we make life easy for you, even if you accidentally click on an attachment. Our autofill feature prevents your credentials from being filled in to any website whose URL doesn’t match that in your vault.
You also have access to our robust device-based, contextual, biometric, or hardware key authentication options. Our adaptive MFA detects whether an unusual device or location is being used to access your account, which will then prompt additional verification or MFA checks.
At LastPass, we work for your peace of mind, wellbeing, and security. To thank you for saying “maybe” to the password manager trusted by millions, take LastPass for a free, no-obligation test drive today.
FAQ
How do I change my Gmail password on my desktop?
You can change your Gmail password by clicking on “Accounts and Import” in “Settings” and then clicking “Change Password” under “Change account settings.”
How can I reset my Gmail password if I forgot it?
If you forgot your password, you can use Google’s Account Recovery tool to reset your password.
Where can I find my Gmail password?
You can find your Gmail password by clicking on your profile picture at the top right corner of the page. Click on “Manage Your Google Account” and then “Personal Info” in the left-hand menu. Scroll down until you see the “Password” section.
How do I change my Gmail password on my iPhone?
You can change your Gmail password on your iPhone by first opening the Gmail app, tapping on your profile picture, and clicking on “Manage Your Google Account.” Next, tap “Personal Info.”
Under "Basic info," click on “Password.” After you enter your new password, select “Change Password.”
How do I manage my Gmail password?
You can manage your Gmail password by changing it after a known security breach and using a password manager for safe password generation and storage.
