Update, June 16, 2025: This story, originally published on June 14, has been updated to include new data regarding the use of risky passwords and password habits, as well as further technical information about passkey technology including what happens if you lose the device you use to access one should you switch from using a Gmail password as Google has advised.

I’ve said it before, and, unfortunately, I will continue repeating it unless you take action now: Gmail, like all email providers, is under attack. Don’t just take my word for it; even Google admits that email attacks have targeted 61% of U.S. consumers. Let that sink in for a bit. OK, are you worried now? You should be, and you should also take immediate action to mitigate the chances of becoming another victim of email hackers. Google’s vice-president of privacy, safety and security, Evan Kotsovinos, has issued a warning in which he “strongly encourages” the 2 billion users of platform to make one straightforward change: replace your Gmail password now. Here’s what you need to know and do.

The majority of people still use passwords to sign into their Google accounts, which also means signing into their Gmail accounts. That’s a terrifying thought, but one that’s hardly surprising as we tend to be resistant to change, especially when something like security is concerned. The overused mantra of “if it ain’t broke, don’t fix it” is often, and totally wrongly, used when I tell users that their password is putting their accounts, email, data, and money at risk. “I’ve used that password for five years and never been hacked,” is a typical response. It’s just a matter of time, buddy, and the cybersecurity landscape would suggest that time is fast running out.

“Over 60% of U.S. consumers perceive an increase in scams over the past year,” Kotsovinos said, “with one-third personally experiencing a data breach.” Which is why one of Google’s top security brains has also urged all users to stop using their passwords, which are painful to maintain and prone to phishing attacks.

Google recommends that you change your Gmail password now to something more secure. And that doesn’t mean a better password but something else entirely: a passkey. “We want to move beyond passwords altogether,” Kotsovinos confirmed, “while keeping sign-ins as easy as possible.” Passkeys are, Kotsovinos continued, phishing-resistant and can log you in using your face or fingerprint. “When you pair the ease and safety of passkeys with your Google Account,” he concluded, “you can then use Sign in with Google to log in to your favorite websites and apps — limiting the number of accounts you have to maintain.”

What’s more, when you add a passkey to your Gmail account, it won’t change or remove any authentication or recovery factors you already have on your account. What it will do is bypass the 2FA step as it verifies that you are in possession of the device itself.

This is all excellent news, and given the ongoing cyber assault on Gmail accounts that we have been observing for many months now, often employing AI-powered resources, this advice should be followed immediately. Here’s what to do.

Since this article was originally published on June 14, a new report has been released that exposes precisely why the advice from Google to replace your existing Gmail password with the much more secure passkey alternative to protect your account is so relevant right now.

The password survey found that a staggering 49% of adults in the U.S. are participating in what can only be called risky password practices. The biggest sin, in my never humble opinion and for reasons I have explained time and time again, has to be password reuse. Yet this research revealed that 24% of those surveyed admitted to doing just that, using the same password across multiple accounts and services online. Oh, and I hope you are sitting down, 8% said they used a password that they were already aware had been compromised in a previous breach.

What else did this analysis of password horrors reveal? Well, how about throwing in the fact that 14% of those asked used the name of a pet for their password, 11% the name of a family member and 11% part of their own full name. Don’t do that, quite apart from never using real names, or dictionary words, anything associated with you personally is, in these days of social network exposure, easily discovered by attackers. Ditto, it has to be said, for the 15% that used an important date such as a birthday or anniversary. But wait, it gets worse: 6% used their street address or a previous street address, 5% went for the numerical sequence or keyboard walking approach to password construction, and 3% used their favourite sports team. Sigh.

It’s not all bad news, as the survey said that a quarter of U.S. adults used a random password generator of some kind to create their passwords, which, provided they are not being reused, is a far safer method. Most password manager applications will provide this functionality and help to prevent password reuse by enabling the easy management and use of the random passwords in question. Of course, using a passkey is still way more secure.

Understanding how a passkey actually works is a great move towards actually realizing why Google, and most other major tech vendors, want to push users into adopting the identity security solution sooner rather than later. I spoke to Steve Won, the chief product officer at leading password manager 1Password, about the technology behind passkeys that makes them such a secure password replacement. “Every passkey is made up of two keys—a unique public key, which is created and stored on that company’s server, and a private key, which is stored on the user’s device,” Won explained. As with all such public/private key systems, the public key (known to everyone) is used to create a challenge that can then only be solved if you have access to the private key (which is a secret and known only to you). “Because of this,” Won continued, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.”

You can think of passkeys as being strong by default, resistant to most phishing attacks and effortless to use. A hacker cannot simply guess what one is, nor can they be compromised by using lists of reused and weak credentials. Indeed, they cannot be stolen, which removes the ability to use stolen credentials in the first place. Your private keys never leave your device, there is no opportunity for password-spraying or brute force attacks. You cannot create a weak passkey, that’s an oxymoron: all passkeys are strong and secure by default and by definition.

OK, the elephant in the room has just stood up and is waving its trunk around madly: how can passkeys be secure if they put all your security eggs in one easily lost or stolen basket, a smartphone? This is, perhaps, the most common question I get asked whenever I talk to someone about replacing their passwords with passkeys, or write an article suggesting the same. I understand the concern, and it’s a natural one when a new technology is being suggested that people have yet to understand the workings of. If you lose your smartphone on which your passkey is stored, you won’t be locked out of your account. If someone steals your smartphone with the passkey on it, they will not be able to access the account it protects. Here’s why, from someone who knows: Anna Pobletts, the head of passwordless at 1Password.

Pobletts told me that, actually, when it comes to loss, theft or other compromise, passkeys are a far safer option than passwords. “When a passkey is created on their device, it gets synced across all their devices in the ecosystem,” Pobletts explained. This means that the passkey is never actually tethered to that lost device, rather it is tied to the account and “they can recover their passkeys on another device by signing into their passkey provider,” Pobletts said.

When it comes to compromised devices, Pobletts concluded, “the website and the passkey provider have joint responsibility to allow you to manage your passkeys and devices - including de-authorizing devices or passkeys you don't control any more.”

Preparation is everything, so Google advises that you ensure you have the following available before you start the passkey creation process:

OK, with that out of the way, here’s how to go from password to passkey in three simple steps:

1. Access your Google Account settings and thenn head to Security Settings and select the Passkeys option under “how you sign in to Google.”
2. Click on create a passkey a follow the prompts.
3. Verify your identity using fingerprint or facial recognition on your computer or smartphone and, erm, that’s it.

Congratulations, you can now use a passkey instead of your Gmail password to sign into your email account, knowing that you have just removed one of the primary methods hackers use to compromise your data. You can find out more about Google passkeys here.