How to Change Your Password If You've Forgotten It

Forgetting a password happens to everyone. Whether it's your email account, a streaming service, or your phone's lock screen, the recovery process follows a recognizable pattern — but the exact steps vary depending on the platform, your account setup, and what recovery options you previously configured. Understanding how password recovery actually works helps you move faster when you're locked out.

How Password Recovery Works

Most platforms don't store your password in plain text. They store a cryptographic hash — a one-way transformation of your password. This means even the service itself can't tell you what your password was. Instead, they verify your identity through other means and let you set a new one.

The three most common recovery methods are:

• Email reset link — A time-limited link is sent to your registered email address. Clicking it opens a page where you set a new password.
• SMS verification code — A one-time code is sent to your registered phone number.
• Security questions or backup codes — Less common now, but still used on older platforms or as a fallback.

Some platforms — especially those with strong security models — also support recovery through a trusted device, authenticator app, or account recovery key.

The General Steps for Most Accounts

While every platform is slightly different, the core process looks like this:

1. Go to the login page and click "Forgot password" or "Can't sign in"
2. Enter your registered email address or username
3. Choose a verification method (email, SMS, or alternate contact)
4. Complete the verification step
5. Set a new, strong password
6. Log in with the new password

This works for the vast majority of web-based accounts — email providers, social media platforms, streaming services, and most subscription tools.

Platform-Specific Differences That Matter 🔐

The recovery experience shifts meaningfully depending on where you're locked out.

Google / Gmail

Google's recovery flow is thorough by design. It may ask you to confirm a previously used password, verify your identity via a trusted device, or send a code to a recovery phone or email. If you're signed into Google on another device (like your phone), that device may receive a prompt to confirm it's you — bypassing email entirely.

Apple ID

Apple ID recovery can involve two-factor authentication sent to a trusted Apple device or phone number. If you've lost access to all trusted devices and numbers, Apple offers an Account Recovery Contact (set up in advance) or a formal account recovery process, which can take several days to complete for security reasons.

Microsoft Account

Microsoft uses a similar flow to Google, with a security code sent to your email or phone. It also offers an identity verification form if you've lost access to all your contact options — though this requires providing account history details.

Phone Lock Screen PINs and Passwords

This is a different category entirely. Forgetting a device PIN or password (not an online account) is more serious because the lock screen protects local encryption.

Recovering a device lock screen typically involves either your linked cloud account credentials or a factory/system reset — which can mean data loss if the device isn't backed up.

What Recovery Depends On: The Key Variables

Not every locked-out situation resolves the same way. Several factors determine how smooth — or difficult — your recovery will be:

Access to your recovery contact. If you no longer use the email address or phone number linked to an account, standard recovery methods may fail. Many platforms provide an escalation path, but it's slower and less guaranteed.

Whether two-factor authentication is enabled. 2FA adds security but also adds complexity to recovery. Without access to the second factor (your phone, authenticator app, or backup codes), you may need to use pre-saved recovery codes or go through a manual identity verification process.

How long since you last logged in. Some services deactivate or flag accounts that haven't been accessed in a long time. Recovery may still work, but you might also find the account no longer exists.

Whether the account is a personal or organizational one. Work and school accounts managed through platforms like Microsoft 365 or Google Workspace may route you to an IT administrator rather than self-service recovery. You may not have permission to reset your own password without going through your organization.

Device vs. account distinction. A forgotten device PIN and a forgotten account password require completely different recovery paths — and confusing the two leads to wasted time.

If Standard Recovery Fails

When the usual reset link doesn't arrive or you're locked out of your recovery contact itself, options narrow — but they don't disappear entirely:

• Check your spam or junk folder for reset emails
• Try an alternate email or phone number you may have registered at signup
• Use backup codes if you set them up when enabling 2FA (these are usually generated once and stored by the user)
• Contact the platform's account support directly — most have a manual identity verification path for edge cases
• For devices, consult manufacturer documentation for recovery or restore procedures

🔑 One pattern worth noting: the harder a recovery process is, the more likely it's by design. Strong account security deliberately makes unauthorized access difficult — and that same friction applies when it's genuinely you trying to get back in.

The Setup That Determines Everything

The ease or difficulty of recovering a forgotten password almost always traces back to decisions made before getting locked out — which recovery contacts were added, whether backup codes were saved, whether a trusted device was registered.

Your specific situation — which platform you're locked out of, what recovery information is still accessible to you, whether your account is personal or managed — determines which path is actually available to you right now.