I forgot my password — what do I do first?

Go to the service's own sign-in page and click the 'Forgot password?' or 'Can't sign in?' link, which sits next to the password box on almost every site. The service then verifies it's really you — usually by emailing or texting a reset link or a one-time code — and lets you set a new password. Do this only on the genuine website (type the address yourself, don't follow a link from an email), because fake 'reset your password' messages are a common phishing trick. If you still have access to the email or phone on the account, recovery usually takes a minute or two.

What if I've lost access to the email or phone for 2FA too?

Use the service's account recovery flow rather than the standard password reset. Most providers offer a longer identity-verification process — answering security questions, using backup codes you saved when you set up two-factor authentication, confirming from a previously trusted device, or supplying ID for some accounts. It's slower and not guaranteed, which is exactly why saving backup codes and keeping a recovery email or phone up to date matters before you're locked out. Start from the provider's official help pages for 'account recovery'.

Is it safe to reset a password from a link in an email?

Only if you requested it moments ago and recognise the sender — and even then it's safer to ignore the link and go to the site directly. Attackers send fake 'unusual sign-in, reset your password' emails that lead to lookalike pages built to steal your login. The rule: never start a password reset from an unsolicited message. Open a new tab, type the service's address yourself, and use its own 'forgot password' link. A password manager helps here because it only autofills on the genuine domain, so it simply won't fill on a fake one.

What makes a good new password?

Long, unique, and random. Length matters more than symbols — a passphrase of several unrelated words, or 16+ random characters, is strong. Above all it must be unique to that one account, so a breach of one site can't unlock the others (attackers routinely try a leaked password everywhere, an attack called credential stuffing). You don't need to memorise it: a password manager generates a long random password per account and remembers it for you, which is what turns 'unique everywhere' from impossible into automatic.

How do I never forget a password again?

Stop trying to remember them. Use a password manager: you memorise one strong master password (or unlock with your fingerprint or face), and it stores a unique, random password for every account and fills it in automatically. That removes the two reasons people get locked out — forgetting, and reusing one password everywhere until a breach forces a reset. Keep your account's recovery email and phone current and save any two-factor backup codes, so even a lost device doesn't lock you out.

Forgot Your Password? How to Reset It Safely — and Never Again (2026)

Forgetting a password isn't a crisis — every account is built to recover from it. What matters is doing it safely, because the moment you're searching for a "reset" link is exactly when phishing pages try to catch you. This guide is the calm, universal version: how to reset any password the right way, what to do when you've lost your email or 2FA too, and the one habit that means you never have to do this again.

First: the universal reset, in one minute

Almost every service works the same way:

Go to the genuine sign-in page — type the address yourself, don't follow a link from an email or text.
Click "Forgot password?" or "Can't sign in?" next to the password box.
The service verifies it's you — usually a reset link or one-time code sent to your email or phone.
Set a new password that's long and unique to this account.

If you still have access to the email or phone on the account, that's the whole process. The only real pitfall is where you do it — which is the next section.

The safety rule that actually matters

Never start a password reset from a message you didn't ask for. Fake "unusual sign-in detected — reset your password now" emails are one of the most common phishing tactics, and they lead to lookalike pages built to capture your login the moment you type it.

The habit is simple: ignore the link, open a new tab, type the service's address yourself, and use its own "forgot password" option. If you use a password manager, it adds a built-in safety net — it only autofills on the real domain, so a fake reset page simply stays blank.

A desk with an iMac, a laptop and a phone

When you've lost your email or 2FA too

This is the harder case — you can't get the reset code because you've also lost access to the inbox or the phone holding your two-factor codes. Don't keep retrying the normal reset; switch to the provider's account recovery flow instead. Depending on the service, that can mean:

Backup codes you saved when you turned on two-factor authentication — one of these replaces the missing 2FA code.
A previously trusted device that can approve the sign-in.
A recovery email or phone you added earlier.
Identity verification — security questions, or ID for some accounts.

It's slower and never guaranteed, which is the honest reason the prevention below matters: a few minutes of setup now is what keeps a lost phone from becoming a locked-out account.

The new password: long, unique, random

When you set the replacement, make it count:

Long beats complicated. A passphrase of several unrelated words, or 16+ random characters, is stronger than a short string of symbols.
Unique to this account, always. If you reuse a password, one breached site hands attackers the key to all the others — an automated attack called credential stuffing.
You don't have to memorise it. Generating and storing a unique random password per account is exactly what a password manager is for.

How to never do this again

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

Never forget a password again — one vault generates and fills them all → NordPassOne master password · Unique random password per account · Autofills only on the genuine site→

The reason people get locked out twice comes down to two habits: trying to remember passwords, and reusing one everywhere until a breach forces a reset. A password manager removes both. You remember one strong master password (or unlock with your fingerprint or face); it stores a unique, random password for every account and fills it in automatically — on the genuine site only.

Pair that with two small steps and lockouts mostly disappear:

Keep your recovery email and phone current on important accounts.
Save your two-factor backup codes somewhere safe when you enable 2FA, so a lost device never means a lost account.

The bottom line

Forgetting a password is routine: go to the real sign-in page, use its "forgot password" link, verify it's you, and set a new password that's long and unique. Never reset from an unsolicited message. If you've lost your email or 2FA too, switch to the provider's account-recovery flow — and afterwards, set things up so it can't happen again. If your account may have been accessed by someone else, see what to do when an account is hacked.

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

Get NordPass30-day money-back guarantee · Free plan available→

Forgot Your Password? How to Reset It Safely — and Never Again (2026)

First: the universal reset, in one minute

The safety rule that actually matters

When you've lost your email or 2FA too

The new password: long, unique, random

How to never do this again

The bottom line

Read next

What Is Social Engineering? How Attackers Hack People, Not Computers (2026)

What Is Phishing? How to Spot and Stop It (2026)

What Is a Keylogger? How It Steals Passwords and How to Stop It (2026)