Skip to content
Email Tools

guide · Gmail Security & 2FA

How to change your Gmail password — the 2026 guide

Change your Gmail password on desktop, Android, or iPhone in under two minutes — plus what to do if you forgot it, and how passkeys are quietly replacing the password entirely.

Alexis Dollé By Alexis Dollé · ·
How to change your Gmail password — the 2026 guide

Google flipped the switch in late 2024 to make passkeys the default sign-in for personal accounts, but the password itself is not gone — it is still the fallback, the master key, and the credential every recovery flow eventually leans on. Changing it on desktop takes 90 seconds; on a phone, about the same once you know where Google hid the setting. Here is the full path on every device, what happens to your other Google services the moment you confirm, and the security choices worth making while you are in the menu.

Change Your Gmail Password on Desktop

In Gmail on a desktop browser, click your profile picture at the top right → Manage your Google Account → Security → Password. Google asks you to re-enter the current password, then prompts for the new one twice. Click Change password and the new credential takes effect immediately across all Google services.

Step by step:

  1. Sign in to Gmail at mail.google.com on any desktop browser. Chrome, Firefox, Safari, Edge — all work the same way.
  2. Click your profile picture at the top right corner of the Gmail interface.
  3. In the popover, click Manage your Google Account. A new tab opens at myaccount.google.com.
  4. In the left rail, click Security.
  5. Scroll to the section titled “How you sign in to Google” and click Password.
  6. Google prompts you to re-enter your current password to confirm your identity. Type it and click Next.
  7. Enter the new password in the New password field. Re-enter it in Confirm new password.
  8. Click Change password.

Google enforces three rules on the new password: at least 8 characters, not identical to the current password, and not present in the known-breach corpus Google checks against. If your choice gets rejected, try a longer passphrase or use the password manager built into Chrome or your browser of choice to generate one.

The change is instant. Google then asks whether you want to sign out of other sessions — accept this if the password change is in response to suspicious activity, decline if you are simply rotating credentials and want to avoid re-logging in everywhere.

Change It on Android

On an Android phone, open the Gmail app → tap your profile picture (top right) → Manage your Google Account → Security tab → Password. You re-enter the old password, then enter the new one twice, then tap Change password. Same flow as desktop, just buried one tap deeper.

Step by step:

  1. Open the Gmail app on your Android device.
  2. Tap your profile picture (or initial) at the top right of the search bar.
  3. Tap Manage your Google Account.
  4. Across the top, swipe right until you reach the Security tab. On newer devices it is visible directly; on older Android versions it sits behind a horizontally scrollable tab strip.
  5. Scroll down to How you sign in to Google and tap Password.
  6. Re-enter your current password when prompted, then tap Next.
  7. Type the new password in both fields and tap Change password.

The system Settings app on Android (Settings → Google → Manage your Google Account) opens the exact same screen — useful if you do not want to launch Gmail first. Either path lands on the same Security tab.

Change It on iPhone or iPad

On iOS, the Gmail app exposes the password setting at Profile picture → Manage your Google Account → Personal info → Password. Apple’s signed-in-with-Apple system does not affect this — your Google Account password lives on Google’s servers and is changed the same way regardless of the device’s OS.

Step by step:

  1. Open the Gmail app on your iPhone or iPad.
  2. Tap your profile picture at the top right.
  3. Tap Manage your Google Account.
  4. Swipe to the Security tab (or open Personal info — both surface the password row).
  5. Tap Password.
  6. Re-enter the current password, tap Next.
  7. Enter the new password twice, tap Change Password.

If you sign in with Apple’s “Sign in with Apple” for some apps, that is a separate identity — it has nothing to do with your Gmail password. The Google Account credential is what reaches Gmail, YouTube, Drive, Photos, Workspace, and any third-party site where you used “Continue with Google”.

If You Forgot the Current Password

Go to g.co/recover, enter your Gmail address, and Google walks you through identity verification using a recovery phone, recovery email, an Android device you are signed in to, or your last remembered password. If you can answer enough prompts, you get a chance to reset; if not, Google enforces a waiting period before another attempt.

The recovery flow tries options in roughly this order:

  1. Send a notification to a signed-in phone. If you have Gmail on another device, tap Yes, it’s me in the notification to confirm.
  2. Receive a code via text or call. Sent to the recovery phone number on file.
  3. Send a code to a recovery email. Sent to the secondary address Google has on file.
  4. Answer a security question. Only if you set one years ago — Google has been deprecating these.
  5. Enter the month and year you created the account. Approximate is fine.
  6. Last password you remember. A previous password — even from years ago — counts as a strong signal it is you.

Google does not let you brute-force this. After two or three failed verification attempts, the system locks the recovery flow for a few hours to several days. Wait it out and try again with better evidence — do not repeatedly fail; the cooldowns get longer each time.

If recovery fails entirely and you have no recovery options on file, Google may still grant access through a manual review based on past sign-in locations, device fingerprints, and account creation details. Submit at accounts.google.com/signin/recovery and answer as much as you can. The success rate is much higher when you submit the request from a device or network the account has been used on before.

What Happens After You Click Change Password

Changing your Gmail password is changing your Google Account password — the same credential reaches every Google service. You will be signed out everywhere except the device you confirmed during the change, and mobile apps re-prompt for the new password the next time you open them.

Concretely, the moment the change takes effect:

  • Gmail, YouTube, Drive, Photos, Calendar, Maps signed-in features all reset to a logged-out state on every device except the one you used.
  • Mobile apps (Gmail, YouTube, Drive, the Workspace apps) usually re-prompt for the password the next time you open them. Some prompt for both the password and any 2-step verification factor.
  • Smart devices — Chromecast, Google Home, Nest, Android TV — keep working initially because they hold session tokens, but the account-management features (history, recommendations, voice match) may temporarily fail until you re-authorize from a phone.
  • “Continue with Google” sign-ins on third-party sites continue to work because they use OAuth tokens, not your password directly. The next time the token expires you may need to re-authenticate, but you will not be kicked out of those sites immediately.
  • App passwords (the legacy 16-character codes you generated for older apps that did not support 2-step verification) are revoked at the moment of the password change. Any app still using one will fail to connect — you will need to generate fresh app passwords.

If you saved the old password in a browser’s autofill, browsers usually detect the change and prompt to update the saved entry. Confirm the prompt or you will be auto-filling the old password on every login attempt.

Rotating credentials across multiple email accounts gets tedious. If you maintain a personal Gmail, a work Gmail, an Outlook, and a few IMAP mailboxes, a desktop client centralizes the credential management — one re-auth on the client and every connected account is back online. Try Mailbird free

Should You Replace It With a Passkey?

A passkey is a cryptographic credential bound to your device — your phone, laptop, or hardware key — that signs you in without a password. Google made passkeys the default for personal Google Accounts in late 2024. They are stronger than a password plus 2FA, immune to phishing, and after the initial setup, you mostly never see them. Adding one does not remove your password, but it makes the password largely irrelevant.

The mechanics:

  • A passkey is a public-private key pair created by your device. The public key sits on Google’s servers; the private key never leaves your device.
  • When you sign in, Google sends a challenge, your device signs it with the private key (gated by Face ID, Touch ID, Windows Hello, or your device PIN), and you are in.
  • Phishing cannot capture a passkey — there is nothing to capture. The private key never moves and the sign-in is bound to the legitimate Google domain.
  • A passkey on an iPhone syncs to your other Apple devices via iCloud Keychain. On Android, it syncs via Google Password Manager. On a security key (YubiKey, Google Titan), it is bound to that physical device.

To add a passkey: Google Account → Security → Passkeys → Create a passkey. The device walks you through Face ID/Touch ID confirmation. Done.

Should you remove the password after adding passkeys? Not yet. Removing the password is possible (the option appears under Password once you have passkeys plus 2FA enrolled), but if you lose your phone and your passkey syncs are not fully functional, you may lock yourself out. Keep the password as a fallback for at least one full credential-loss test cycle.

When a Password Change Is Actually Warranted

NIST updated its digital identity guidance in 2024 to explicitly recommend against scheduled password changes for personal accounts. Rotating a strong password on a calendar drives users to weaker, predictable variants. Change your Gmail password when there is a triggering event — not on a quarterly basis.

The events that actually justify a change:

  • A data breach reported by a service where you reused the same password. Have I Been Pwned (haveibeenpwned.com) is the canonical reference; Google’s own Password Checkup (built into Chrome and the Google Account dashboard) flags reuse against known leaks.
  • Suspicious activity on the Google Account. Security tab → Recent security activity. Sign-ins from unfamiliar locations or unknown devices are the signal.
  • Shared-device exposure. You typed the password into a public, work, or borrowed device and are not certain it is clean.
  • Moving away from a password manager dump. If you used to save Gmail in a password manager that has since been compromised (or that you no longer trust), rotate.
  • Onboarding a new credential strategy. Switching from a weak old password to a 20-character passphrase from a password manager is a legitimate, one-time rotation.

What does not justify a change: a calendar reminder, a vague “I haven’t changed it in a while” instinct, or pressure from a company that requires it (most still do, despite the NIST guidance — push back where you can).

Alexis Dollé, founder of Email Tools
Alexis Dollé
Founder & Editor

Alexis Dollé, email expert for 10+ years. Founder of Email Tools. I test every email client and utility myself, then write about them the way I’d explain them to a friend — no marketing fluff, no sponsored rankings, every claim sourced.

LinkedIn
Sources & references
  1. Google Account Help, “Change or reset your password” — desktop and mobile flows, minimum requirements, sign-out behavior across devices. Accessed 2026-05-15. support.google.com/accounts/answer/41078
  2. Google Account Recovery, g.co/recover — step-by-step recovery options when the password is forgotten, cooldown behavior. Accessed 2026-05-15. g.co/recover
  3. Google Account Help, “Sign in with a passkey instead of a password” — passkey setup, device-binding model, fallback behavior. Accessed 2026-05-15. support.google.com/accounts/answer/13548313
  4. Google Security Blog, “Passkeys: the future of authentication, default on personal accounts” — passkey default rollout late 2024. Accessed 2026-05-15. blog.google/technology/safety-security/passkeys-default-google-accounts/
  5. NIST Special Publication 800-63B, “Digital Identity Guidelines: Authentication and Lifecycle Management” — guidance against scheduled password rotation for personal accounts. Accessed 2026-05-15. pages.nist.gov/800-63-3/sp800-63b.html

Frequently asked questions

How often should I change my Gmail password? Only when there is a reason. NIST guidance updated in 2024 explicitly recommends against scheduled password changes for personal accounts — they push users toward weaker, predictable variants. Change it after a known breach, a shared-device scare, suspicious activity in Security activity, or when migrating away from a stolen-credential password.

What if I forgot my Gmail password? Go to g.co/recover and enter the email address. Google walks you through recovery using your recovery phone, recovery email, a previously signed-in device, or your last remembered password. If recovery fails after several attempts, Google enforces a waiting period — try again after the cooldown rather than starting over repeatedly.

Will changing my Gmail password sign me out of YouTube and Drive? Yes. Gmail, YouTube, Drive, Photos, and Calendar share one Google Account credential, so changing the Gmail password signs you out everywhere except devices you confirm during the change. Mobile apps usually re-prompt for the password the next time you open them; Chromecast and connected smart-home devices may need manual re-authorization.

Do passkeys replace the Gmail password completely? Not yet, but they can. Since 2023 Google has let users add passkeys as the primary sign-in method, and from late 2024 onward “Skip password when possible” is on by default on supported devices. The password is still on the account as a fallback, but you may never type it again if your phone has a registered passkey. You can fully remove the password only after enrolling at least one passkey and a recovery method.

Can I see when my Gmail password was last changed? Open Google Account → Security → “Recent security activity” or “Your devices”. Password change events appear in the activity log with the device, location, and timestamp. If you see a change you did not perform, click “Secure your account” immediately — Google walks you through revoking sessions and re-securing recovery options.

Why won’t Google accept my new password? Google rejects passwords that are too short (under 8 characters), too common (in known breach corpora), or that match your current password. It also blocks passwords that contain the literal characters of your username or email. Pick a longer phrase or run it through a password manager’s generator — both fix most rejections.

Related: How to add another email account to Gmail — once your password is fresh, consolidate the rest of your inboxes. Best email clients for Windows in 2026 — desktop clients let you manage credentials per account in one place.