It's something nobody wants to think about and hopes they never have to do, but it is important to know how to change your Google account password so that every device and service needs to log in again.
This isn't just changing your password. Think of it as the next step if you think someone may have gained access to your Google account. You won't lose any of your Google account data, like emails or contacts, but you will need to set up any two-factor app passwords again so if any of your apps would delete their data when this happens you probably won't be able to get it back.
Think of this as a last-ditch effort to stop someone from taking over your online identity; you still should change your password every six weeks the "normal" way.
All of this information is available from Google, but it's spread out across several different help topics and places online. It's never fun to search for every step, especially when you're frustrated, so here is everything you need to know in one handy spot.
What you'll need
- A working Google account. If someone already has access and has locked you out, you need to contact Google support.
- An Android or iOS phone that can get text messages. If you use a VoIP service for messaging, make sure it can get short codes and authentication tokens via SMS. Your best bet is to have a phone with a working SIM card and account.
- A second way to get online, just in case.
Account recovery options
Start by going to your Google account security page. Notice the https and make sure the URL you visit has the same prefix so you know it's a real Google page. On the page you'll see options for Account recovery; make sure they are all correct. If you never set any, do so now.
Sign out other sessions
Open your Gmail through a web browser in desktop mode. You won't be able to do this through an app. At the very bottom left of the page you'll see Last account activity: with a time after it and right under you'll see Details. Click or tap on Details. A new window will open that tells you information about how, where, and when your account has been accessed. You should review them, but the important thing here is the button labeled Sign out of all other web sessions. Click or tap that. It does just what it says — logs you off everywhere else. Close the web browser.
Visit your Google account permissions page and remove access for everything listed except the phone in your hands and the other device you'll be using. Again, notice the https URL prefix. To remove a device or app, click or press on it in the list and you'll see a button that says Remove. This does what you think: it revokes access permissions and logs the device or app out of your account.
This step makes sure the only thing connected to your account is the thing in your hands.
Next, revoke all your app passwords. Head back to your Google account security page (again, https!) and scroll halfway down the page. Under the section marked Password & sign-in method you'll see an entry for App passwords. Open it, and you'll need to provide your password. Then proceed to delete any special application passwords you've used or are using. This is important! It's a pain to enter new App passwords for 2FA, but this makes sure someone isn't using a third-party app to grab your data. Just Do It.
Change your password
Stay on your Google account security page because you will need to change your password now. You'll see the entry under the section marked Password & sign-in method. Pick a good password.
You'll need to log in again using this new password on every device that uses your Google account.
Your password doesn't have to be extra long to be secure. It just needs to be random.
- iLovePuppies is a terrible password.
- 1<3PuPp13z is a fair password.
- PuPp13s&t65Rm is a great password.
Don't bother trying to use something you will remember, instead find a good password manager. You should use a different password for every single login that asks for one. You'll never be able to remember every password if they are all random!
You need to set up two-factor authentication for your Google account if you haven't already. We recommend you use two-factor authentication on every login that supports it!
2FA (Two-Factor Authentication) means you need more than a password to prove it's really you. For most people, this means a special code sent to your phone via SMS or an authentication app (preferably the latter). It's an extra step, but it is the best way to make sure nobody except you can ever have access to your accounts.
- More: Two-factor authentication: What you need to know
- More: How to set up Google two-step verification to protect your Gmail account
Encrypt Chrome Sync
If you use Chrome and have it save things like logins or credit card numbers, you'll want to encrypt the sync data. That means that you will need to provide a password to sync Chrome on any device. chances are it's already encrypted using your Google credentials (which you just changed) and you'll be asked to sign in again if you're not on your phone. But you can use a different password for encrypting this data if you want.
This is actually easiest to do using the Chrome app on your phone.
- Open the Chrome app.
- Tap the overflow (three vertical dots) button.
- Tap Settings near the bottom.
- Tap your account name at the top.
- Tap Sync midway down the window.
- Scroll down to Encryption and tap it.
- In the pop up, choose to Encrypt all synced data with your own sync passphrase.
- Enter your new password.
If you do this, you will need to use this password when you want Chrome to sync with your account. Existing sessions will ask for the new password the next time you open them.
Sign back in to everything
This method will disconnect every single device and app connected to your account. That means phones, tablets, Chromecasts, Google Home and everything else that might be hooked in like web apps or Android apps. If you changed the password using your phone, the services from Google will be able to switch over mostly seamlessly, and apps should just let you authorize the next time you use them.
Other devices, like Google Home or Google Wifi, will need to be logged in through their app. And web services like IFTTT or Pocket will also need to be reauthorized.
This sounds a little extreme and it's not something you should need to do regularly. But if you think someone has worked their way into your account this is the right way to get rid of them!
Have you ever gone through this procedure? Share your story down below!