Centre for Internet & Society

Hacking incident at Zomato underlines need to employ different passwords for different accounts.

The article by Sanjay Kumar Singh was published in the Business Standard on May 23, 2017.

Recently, food-tech company suffered a security breach where 17 million user records were stolen, including email addresses and passwords. Such hacking incidents can have wider consequences, including, in the gravest of scenarios, financial losses. They emphasise the need for people to adopt newer protection mechanisms, such as managers.

In Zomato's case, the passwords are said to be hashed, which means they were converted into unintelligible characters. However, experts say that depending on the hashing protocol used, hashes can be re-engineered to generate the

The hacking of one account can have wider ramifications. "By hacking one account, hackers get access to your email ID and To save themselves the bother of remembering many passwords, users often use the same in all their accounts. So, the hackers get access to your email and other accounts. Sometimes, they use your email account to reset the passwords in your other accounts," explains Shomiron Das Gupta of NetMonastery, a threat management provider. He adds that people often store sensitive information, including their net banking and credit card numbers and passwords within their email accounts. Also, on a website like Amazon, you can only view the last four digits of your credit card number. Other websites may not blur this information, in which case hackers would get access to this and other sensitive information.

Experts recommend you create complex passwords and use different ones for different accounts. Since generating complex passwords and remembering them all is difficult, you should use a manager. Some of the good ones are LastPass, 1Password, Dashlane and TrueKey.

managers can generate long and complex passwords that are difficult to replicate. They also remember on your behalf the passwords on all the sites and apps you use. Also, hackers sometimes steal passwords by inserting a malware that copies keystrokes. Since a manager inputs the password, you don't have to type them in, thereby doing away with the risk of your keystrokes being captured and stolen.

A manager is a secure vault that stores all your passwords. You get access to the vault with a master Instead of remembering many passwords, you have to remember just one.


Browsers like and also offer managers. However, if you wish to use your manager across browsers and apps, use a third-party one like those mentioned above. And while a manager that is stored locally is safer, one that is cloud-based is more convenient, since you can use it across devices having internet connection. managers also offer two-factor authentication. They either send a to your phone or generate it on your device. Unless your device also gets stolen, the manager is difficult to break into.

As for whether managers are themselves safe, experts concede they are a prime target for hackers who know that the information stored within will be valuable. "The manager is safe provided you set a strong master Your should have at least 13 characters of which two should be small, two should be in capital, two should be random numbers, and two should be special characters. Using a word that is not there in the dictionary will enhance its strength. Keep changing your master every three-six months," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru. Since their primary job is to provide security, most managers do have strong security practices, he adds.

Most managers offer a free account but you have to pay to use their advanced security features.