2

My problem is not that I can't save emails to a database. Anybody can do that. Here is my question:

When a user makes an account on my website, they get an ID, User, Password, and Email address data. For the password I hash it so that if somebody hacks my website they wont see the real passwords. However, isn't having a bunch of email addresses saved, unprotected (like the users) a security risk?

I have never made a login system website before, and want to know if everybody else just leaves the email address unprotected in the database. (In other words, is it common just to save an email address to database as-is?).

Thanks.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
StealthVice7
  • 95
  • 12
  • It is common, yes. An email address isn't really a security risk (unless users also use that as their password, but that's a bad idea on their part). You can encrypt it if you like, and that would be a little bit of added privacy for your users. But it would need to be decryptable so you can use it of course. – David Aug 04 '16 at 00:39
  • Obviously they should be encrypted. – Jonathon Reinhart Aug 04 '16 at 00:40
  • @David Actual *emails*; not email addresses. – Jonathon Reinhart Aug 04 '16 at 00:40
  • Sorry, my bad, I meant email addresses. – StealthVice7 Aug 04 '16 at 00:42
  • @StealthVice7 You should update the question to clarify that. – chris85 Aug 04 '16 at 00:43
  • I cannot see why you should encrypt a user's email address, if it is of a great concern, a user can choose to use a different FREE email at any time – SIDU Aug 04 '16 at 00:43
  • Done, fixed my question, thank you everybody for the help. – StealthVice7 Aug 04 '16 at 00:45
  • Can't post comments just yet :( read that below http://stackoverflow.com/a/70536/6590023 – AJ Riley Aug 04 '16 at 00:48
  • 1
    Possible duplicate of [Is it worth encrypting email addresses in the database?](http://stackoverflow.com/questions/70450/is-it-worth-encrypting-email-addresses-in-the-database) – David Aug 04 '16 at 00:48
  • Just hashing passwords is not sufficient. Iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as password_hash, PBKDF2, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Aug 04 '16 at 15:14

2 Answers2

2

Usernames and email address do not have the same sensitivity as passwords.

Passwords should be secured (hopefully with bcrypt) because if Alice has used the same password on Bob's Things as she has on Gmail then any attacker gaining access to the database on Bob's Things will then not be able to gain access to Alice's email account (nor those of the the other 10,000 users that regularly buy Bob's things and reuse passwords).

The email address cannot usually be hashed like passwords. If your system needs to send the user an email, it cannot do this if the email is stored in hashed form.

Plus there is less stuff an attacker can do with just the email address. Yes they could send phishing emails to your users, or they could try and password guess to gain access to accounts, however the complexity of securing the email address regarding its server-side storage is often not worth the effort.

You would be better off ensuring the interface to this database (i.e. your application and supporting infrastructure) is properly secured rather than trying to encrypt the email addresses within the database. Even if they were encrypted, key management then becomes the problem. Bottom line, the best you can do is secure your application against user enumeration if you want to protect people's email addresses from being easily discovered.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
1

Generally:

1 - never save user's credit card number anywhere in your database, however you can save part of it if you really want to.

2 - always salt and hash user's passowrd

3 - no need to encrypt a user's email, if you really concern, encrypt it, not hash it

SIDU
  • 2,258
  • 1
  • 12
  • 23
  • 1
    Even salting and hashing user's password is not sufficient, the hash must be iterated such that substantial time is required to brute force the passwords. See my comment to the question for more information, also see See [How to securely hash passwords, The Theory](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) on Security Stackexchange and See OWASP (Open Web Application Security Project) [Password Storage Cheat Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Leverage_an_adaptive_one-way_function). – zaph Aug 04 '16 at 15:17