0

I've been wondering about something, is it more secure to store an encrypted (hashed with password_hash) email address in the database, or just as plain text? I've google'd this matter and saw that there are people who are for it, and against it.

So here are my thoughts; I think it would give a little more security. Ofcourse it's not THE defense needed, but IF someone ever gets into the database, all he can get are encrypted email addresses. To me, this sounds a tad better than plain text, right?

Also, I don't really see downsides on this one. Maybe the system will just be a bit slower, but security comes first imo.

So let me know what you guys think, hash it and save it, or just plain save it.

Serellyn
  • 11
  • 3

1 Answers1

3

Hashing is a one-way function. Encryption can be reversed with a key; hashes cannot. The only time you'd use hashing is if you don't care what the value of something is, you just want to check that it's equal to what the user just typed in. In particular, if you hash the email addresses, you will never be able to send mail to the addresses. Since you want to send mail to the addresses, you cannot hash them.

cpast
  • 7,223
  • 1
  • 29
  • 35
  • Now that makes sense, dumb question of me really... -.-' But then my question remains, should the e-mail address of the users be encrypted in the database or not? Will it slow down the system a lot? (I should test this myself ofcourse) – Serellyn Dec 18 '14 at 14:50
  • 1
    There is always a time penalty for encryption. Also, if addresses are encrypted, you can't do selects for things like "@gmail.com". The upside is that if the database is compromised, you do not expose clients' email addresses. The caveat is that the crypto key *must not* be stored in the database because a compromise will release both addresses and key. (If your OS is compromised, you're pwned no matter what you do unless you have something like a hardware security module.) – Bob Brown Dec 18 '14 at 15:21
  • Thank you for your comment, but question has been solved now, thank you both. – Serellyn Dec 19 '14 at 20:53