Phishing—coaxing a user into entering their username and password on a site that looks like the real thing but isn’t—continues to be a nuisance because it works. It doesn’t require sneaking malware onto your computer and instead needs just a moment’s inattention or undeserved trust from you.

Browsers are supposed to screen rogue addresses hosting phishing attacks, but the databases they check can miss a new phishing site.

Changing the password is the obvious move after regaining control over the account, but much of the “obvious” advice about creating strong passwords is wrong.

Use long passwords

As the government’s National Institute for Standards and Technology recently acknowledged in a major update to its password-security guidelines, adding letters and symbols to a short password won’t do much against determined codebreaking—while writing longer passwords, even if they only involve letters, will.

You can also ignore the traditional tip to change your password every 30 or 90 days. If your new password isn’t something others could readily guess, you don’t need to add a reminder to your calendar to change it in three months.

But one bit of password dogma does still apply: If you’ve used the phished account’s password on other accounts you value, you need to change those logins to use different passwords.

What if you e-mailed a password to yourself or saved a few passwords in a draft email? (I’m not endorsing that practice, but I know it happens.) Sorry, you need to change them too.

Check sent mail

Using a password-manager app to store your passwords in encrypted form is a safer alternative to squirreling away passwords in your email. Beyond the basic password-manager features Apple includes in iOS and macOS, and Google provides in Android and Chrome, Dashlane and LastPass remain free for basic use.

Next, check your sent mail for any evidence of scam or phishing e-mails the attacker may have sent to your friends. But since the attacker could also have deleted those messages after sending them, it wouldn’t hurt to ask your most frequent correspondents if they got anything weird from you after the phishing attack.

After that, make sure that your backup contacts—the email or phone number that the mail provider could use to contact you if it sees suspicious use of your account—are current. Without that, you may have to wait days after a future compromise of your email.