Google says change your Gmail password now.
SOPA Images/LightRocket via Getty ImagesUpdate, June 15, 2025: This story, originally published on June 14, has been updated to include additional technical information on using a passkey to replace your Gmail password.
I’ve said it before, and, unfortunately, I will continue repeating it unless you take action now: Gmail, like all email providers, is under attack. Don’t just take my word for it; even Google admits that email attacks have targeted 61% of U.S. consumers. Let that sink in for a bit. OK, are you worried now? You should be, and you should also take immediate action to mitigate the chances of becoming another victim of email hackers. Google’s vice-president of privacy, safety and security, Evan Kotsovinos, has issued a warning in which he “strongly encourages” the 2 billion users of platform to make one straightforward change: replace your Gmail password now. Here’s what you need to know and do.
ForbesUse These Secret Gmail Addresses To Prevent Hack Attacks — Here’s HowBy Davey Winder
Google Strongly Encourages You To Change Your Gmail Password Without Delay
The majority of people still use passwords to sign into their Google accounts, which also means signing into their Gmail accounts. That’s a terrifying thought, but one that’s hardly surprising as we tend to be resistant to change, especially when something like security is concerned. The overused mantra of “if it ain’t broke, don’t fix it” is often, and totally wrongly, used when I tell users that their password is putting their accounts, email, data, and money at risk. “I’ve used that password for five years and never been hacked,” is a typical response. It’s just a matter of time, buddy, and the cybersecurity landscape would suggest that time is fast running out.
“Over 60% of U.S. consumers perceive an increase in scams over the past year,” Kotsovinos said, “with one-third personally experiencing a data breach.” Which is why one of Google’s top security brains has also urged all users to stop using their passwords, which are painful to maintain and prone to phishing attacks.
Google recommends that you change your Gmail password now to something more secure. And that doesn’t mean a better password but something else entirely: a passkey. “We want to move beyond passwords altogether,” Kotsovinos confirmed, “while keeping sign-ins as easy as possible.” Passkeys are, Kotsovinos continued, phishing-resistant and can log you in using your face or fingerprint. “When you pair the ease and safety of passkeys with your Google Account,” he concluded, “you can then use Sign in with Google to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.”
What’s more, when you add a passkey to your Gmail account, it won’t change or remove any authentication or recovery factors you already have on your account. What it will do is bypass the 2FA step as it verifies that you are in possession of the device itself.
This is all excellent news, and given the ongoing cyber assault on Gmail accounts that we have been observing for many months now, often employing AI-powered resources, this advice should be followed immediately. Here’s what to do.
ForbesCritical Google Messages Security Update For 1 Billion Users ConfirmedBy Davey Winder
What Is A Passkey, And How Is It Technically More Secure Than Your Gmail Password?
Understanding how a passkey actually works is a great move towards actually realizing why Google, and most other major tech vendors, want to push users into adopting the identity security solution sooner rather than later. I spoke to Steve Won, the chief product officer at leading password manager 1Password, about the technology behind passkeys that makes them such a secure password replacement. “Every passkey is made up of two keys—a unique public key, which is created and stored on that company’s server, and a private key, which is stored on the user’s device,” Won explained. As with all such public/private key systems, the public key (known to everyone) is used to create a challenge that can then only be solved if you have access to the private key (which is a secret and known only to you). “Because of this,” Won continued, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.”
You can think of passkeys as being strong by default, resistant to most phishing attacks and effortless to use. A hacker cannot simply guess what one is, nor can they be compromised by using lists of reused and weak credentials. Indeed, they cannot be stolen, which removes the ability to use stolen credentials in the first place. Your private keys never leave your device, there is no opportunity for password-spraying or brute force attacks. You cannot create a weak passkey, that’s an oxymoron: all passkeys are strong and secure by default and by definition.
ForbesMicrosoft Confirms Security Pause For Outlook Email EncryptionBy Davey Winder
How To Replace Your Gmail Password With A Passkey In 3 Simple Steps
Preparation is everything, so Google advises that you ensure you have the following available before you start the passkey creation process:
- A computer running Windows 10, macOS Ventura or ChromeOS 109 or later.
- A smartphone running iOS 16 or Android 9 or later, with Bluetooth and screen lock enabled.
- The latest version of a compatible browser such as Chrome, Edge, Firefox or Safari.
- iOS and macOS users must enable iCloud Keychain.
OK, with that out of the way, here’s how to go from password to passkey in three simple steps:
- Access your Google Account settings and thenn head to Security Settings and select the Passkeys option under “how you sign in to Google.”
- Click on create a passkey a follow the prompts.
- Verify your identity using fingerprint or facial recognition on your computer or smartphone and, erm, that’s it.
Congratulations, you can now use a passkey instead of your Gmail password to sign into your email account, knowing that you have just removed one of the primary methods hackers use to compromise your data. You can find out more about Google passkeys here.
ForbesFBI Issues Critical Cyberattack Alert — Act Now As Victims SkyrocketBy Davey Winder
English (US) ·