How to change your Google password (step-by-step guide)

Your Google account is more than just a place to check email. It’s where your digital life is stored—your search history, saved passwords, location data, calendar events, and private files going back years. And for most people, it’s also the key to dozens of other accounts.

If someone gets past that single password, they don’t just get into Gmail—they get into everything. That’s why changing your Google password isn’t something you should put off. Whether you’ve spotted something suspicious or just haven’t updated it in a while, it’s one of the most effective ways to protect your identity online.

In this guide, we’ll walk you through how to change your Google password on any device. You’ll also learn how to recover your account if you’ve lost access and what to do next to keep it secure.

Why you should change your Google password

Cyberattacks don’t always start with a brute-force hack. Sometimes, it’s just one reused password, a click on a phishing link, or a leak from a site you forgot you signed up for.

If that password gives access to your Google account, the consequences multiply fast.

You should change your Google password anytime there’s doubt—because by the time you get confirmation, the damage may already be done. Even if your account hasn’t been targeted, regular updates reduce the risk of credential-based attacks.

Signs your Google account may be compromised

Security breaches aren’t always obvious. They often begin with small signs—changes you didn’t make or activities you don’t recognize. These can include:

• Sign-ins from places you’ve never been: A login shows up from another country or on a device you don’t use.
• Security details have been changed: Your recovery email or phone number is different, and you didn’t update it.
• You’re getting password reset emails out of nowhere: Not just from Google, but from other accounts tied to your Gmail.
• There are emails in your sent folder that you didn’t write: Often short, often with links, and sometimes sent to people you know.
• New apps have access to your account: You check your permissions and find services you’ve never used.
• You’re locked out entirely: Your password doesn’t work, and recovery options have been replaced.
• You see purchases you don’t recognize: You might see charges for items you didn’t approve on Google Pay, Google Play, or Google Ads.

If you catch any of this, don’t wait for confirmation. Change your password and secure your account as soon as possible.

Security benefits of changing your password

Most of the time, strong, unique passwords don’t need to be changed. But when there’s even a hint of compromise—like a strange login alert—or if you’re using a weak or reused password, changing it is one of the fastest ways to improve your account security. A good update wipes the slate clean and stops any access you didn’t authorize.

Here’s what a password change can do:

• Neutralizes leaked credentials: If your password was exposed in a breach, even on a different site, changing it makes the stolen data useless.
• Cuts off silent access: Not every breach makes noise. If someone got in quietly, a reset ensures they don’t stay in.
• Breaks reused-password chains: If your old password was the same as or only slightly different from one used elsewhere, changing it ends that overlap.
• Prevents stale password guesswork: Older passwords are more likely to be stored, guessed, or recycled by tools designed to crack common patterns.

When should you change your Google password?

There’s no fixed schedule for changing your password, but there are a few situations where it's important to do so.

How often should you change your password?

You don’t need to change your password frequently if it’s strong, unique, and protected with two-factor authentication. The idea that passwords should be rotated regularly was once common, but today most security experts agree that changing a secure password just for the sake of it doesn’t make you safer.

What matters more is how well your password holds up. If it’s long, random, and hasn’t been reused anywhere else, it can last a long time. There’s no need to replace it every few months unless something feels off. That said, if you ever think your account might be at risk, don’t wait. Change the password immediately and review your account settings.

If you're not using a password manager, now is the time to start. Tools like ExpressVPN Keys help you create and store passwords that are too complex to guess or remember. That way, you never have to reuse logins or rely on your memory.

Situations when a password change is strongly recommended

In some situations, it’s a good idea to change your password right away. These include:

• You’ve received a breach alert: Either from Google or another service tied to your Gmail.
• There’s unusual account activity: Unrecognized logins, changes to security settings, or messages you didn’t send.
• You reused your password: The same password is used on other sites, especially ones with weak security.
• You lost your device: If you mislay your phone or computer, your data could be at risk.
• You gave someone access: Whether temporary or permanent, once it’s been shared, it’s no longer private.
• You haven’t signed in for a long time: If it’s been a while since you last used your Google account, the password may be outdated or reused without you realizing. A quick reset helps ensure it's still strong and secure before you start using the account again.

If you’re in any of these scenarios, don’t wait. Change your password and review your account activity right away.

How to change your Google password (by device)

The steps for changing your Google password are very similar across devices, but the starting point varies. Here’s how to update your Google password, whether you’re on a computer, iPhone, or Android.

How to change your Google password on desktop

1. Go to myaccount.google.com and sign in if prompted.
2. On the left, select Security.
3. Scroll to How you sign in to Google and click Password.
4. You’ll be asked to verify your identity, either with your current password or a passkey, depending on your account settings.
5. Type in your new password and click Change Password to confirm.

How to change your Google password on iPhone or iPad

1. Open the Gmail app and tap your profile photo in the top right. If you don’t use Gmail, go to myaccount.google.com in your browser instead.
2. Tap Manage your Google Account.
3. Swipe over to the Security tab.
4. Under How you sign in to Google, select Password.
5. Enter your current password or use the passkey to verify.
6. Set a new password, then tap Change Password.
   

How to change your Google password on Android

1. Open your device’s Settings.
2. Select Accounts and backup.
3. Tap Manage accounts.
4. Tap your Google account name, then tap Google Account.
5. Swipe over to the Security tab.
6. Tap Password under How you sign in to Google.
7. Enter your current password or screen lock to verify. Then enter your new password, confirm it, and tap Change Password.

Forgot your Google password? Here’s how to reset it

If you’ve lost access to your Google password, recovery depends on what account access and security settings you’ve set up. Here’s how to navigate the process, whether you still have recovery options or not.

Google account recovery process

1. Visit accounts.google.com/signin/recovery.
2. Enter your email address or phone number.
3. Google will guide you through available recovery options, which may include:

• A previously used password: Even an old one helps confirm your identity.
• Verification prompt on a trusted device: You’ll get a prompt on a device where you're already signed in to confirm it’s really you.
• Recovery email or phone number: You’ll get a 6-digit code sent via either method.

What if you don’t have access to recovery methods?

If your recovery email or phone number no longer works, Google may still let you prove ownership another way. At the bottom of the recovery screen, tap Try another way to see more options.

The questions you’re shown depend on your account history, but one of the most common is to enter a password you’ve used before. You might also be asked to confirm other details tied to your account.

Google recommends answering as many questions as possible, even if you’re unsure. Submitting responses from a device or location you’ve used before can also help improve your chances.

If you’ve exhausted all recovery options

If Google can’t verify you, it will show:

“Google couldn’t confirm this account belongs to you.”

There’s no manual override or support option to bypass this. You can:

• Retry after 24 hours using a familiar device and network
• Try alternative emails or phone numbers you may have linked to the account
• Start a new account and secure it with recovery options and two-factor authentication

Tips for creating a strong and secure Google password

Changing your password is only useful if the new one can stand up to modern threats. Password security has come a long way, and so have the tools used to crack them. Strong passwords protect your account from brute-force attacks, credential stuffing, and other threats.

Here’s how to create a good password.

Avoid using personal information or reused passwords

If your password includes your name, birthday, pet’s name, or anything else that could be pulled from your social media, it’s not secure. This information is available to cybercriminals and can be used in a password-guessing attempt.

Reused passwords are just as risky. If one account gets compromised, attackers often try the same login across hundreds of sites. It’s a common pattern, and it’s why every account should have its own unique password.

Combine uppercase and lowercase letters, numbers, and symbols

The more variety, the stronger the password. Use a mix of uppercase and lowercase letters, numbers, and special characters like @, #, ?, or &.

Avoid predictable formats like WordWord123. A better example would be something like:

• N7#yxFq$32LmT
• jQ!38bBv9&kRt1

Following this strategy, you can avoid using passwords that are overly simple and easy to guess. There are some examples of predictable passwords to avoid in this global password trends infographic.

If you need help creating a strong password, you can use ExpressVPN’s password generator.

Ensure your password is long enough

Length adds strength. Anything shorter than 12 characters is too easy to crack—even if it’s randomly generated. For better protection, aim for at least 14 characters.

Some people prefer randomly generated strings, while others go with passphrases—long combinations of unrelated words or elements that are easier to remember but still hard to guess. A good example is something like GravelDuck!29OrangeTree#. It’s long, unpredictable, and combines elements that don’t normally appear together.

Passwords like this strike a strong balance between memorability and security. Whether you’re using a passphrase or a random string, just make sure it’s unique, hard to predict, and not based on anything personal.

Use a password manager

Strong passwords are rarely human-friendly. That’s why password managers exist—they generate secure passwords, store them safely, and autofill them when you need to log in.

This keeps your credentials unique and private and avoids relying on your memory or risky habits like writing passwords down. Not to mention, it saves you the time and frustration of resetting logins you can’t remember.

If you don’t already use one, ExpressVPN Keys is a simple, secure way to start. It creates strong passwords for every account, remembers them for you, and syncs across your devices automatically.

Securing your Google account after changing the password

A new password is only the start. To keep your account secure, you’ll need to go a step further, starting with two-factor authentication and ending with smart habits that protect you from the most common threats.

Enable two-factor authentication (2FA)

2FA makes it significantly harder for anyone to get into your account, even if they have your password. It adds a second step—like a code, a prompt, or a security key—to verify that it's really you.

To turn it on:

1. Go to your Google Account and select Security from the left panel.
2. Under How you sign in to Google, choose 2-Step Verification.
3. Follow the on-screen instructions to complete the setup.

Google offers several user verification methods: SMS, Google prompts, authenticator apps, or security keys. Use prompts or apps whenever possible; they're more resistant to interception than text messages.

Check for unauthorized sessions or devices

After changing your password, check which devices are still signed in. In some cases, old sessions may stay active unless explicitly signed out.

1. Visit Security and select Your devices.
2. Click Manage all devices to access device details.
3. Here, you can review everything that has access. If anything looks unfamiliar or it’s a device you haven’t used in a while, select it and click Sign out.

Don’t assume Google catches everything—a quick review is an easy way to catch problems early.

Use passkeys (optional advanced security)

Passkeys let you skip passwords entirely by using biometric authentication or device-based unlocks. Instead of typing a password, you sign in by confirming your identity with your fingerprint, face scan, or device PIN.

Passkeys are tied to your device, so they can’t be phished or stolen remotely.

To enable passkeys:

• Go to your Google account Security settings.
• Find the Passkeys and security keys section and follow the prompts to add a new one.

Not all devices support passkeys yet, but where available, they’re one of the most secure and seamless ways to protect your account.

Be careful with links and attachments

Phishing scams are designed to catch you off guard. That email asking you to verify your Google account or download an invoice? It might be a trap.

Watch for red flags like:

• Urgent or unexpected requests
• Misspelled domains or odd sender addresses
• Suspicious links masked as legitimate ones

Instead of clicking, go directly to the source. If Google needs you to update something, you’ll see it in your Google account settings.

Use a VPN

On open or poorly configured Wi-Fi networks, attackers can intercept your traffic, spy on your communications, or redirect you to fake Google login pages.

A VPN encrypts your entire internet connection. It protects you from man-in-the-middle attacks, DNS spoofing, and session hijacking—risks that most people don’t see coming until it’s too late.

It also masks your IP address, adding an extra layer of privacy protection that reduces the chance of targeted phishing or location-based attacks.

If you're checking sensitive accounts on a network you don't control, a VPN adds a layer of protection you wouldn't otherwise have. ExpressVPN offers fast, secure connections with apps for every device, making it an easy way to keep your data private wherever you are.