1

I have a hypothetical system where users enter their email address, and they are sent a one-time link to something or other. The system doesn't need to use the email addresses after that point, but it needs to ensure that a user doesn't perform this action twice with the same email address. To that end, I have decided to hash the email addresses just so I have a little bit less to worry about, security-wise1.

I am fully aware that a simple hash with no salt provides very little real security compared to a password hash like bcrypt, but because these are just email addresses, and not passwords, I don't think that will be much of a problem.

I have two questions:

  1. What hashing algorithm is most secure in this context? (Specifically, without using a salt)
  2. What other precautions can be taken to safeguard users' email addresses in the event of a data breach?

1This doesn't mean I'll be lazy on other areas. I'll obviously protect this information as if it was plaintext, but more security is probably better, right?

ItsTimmy
  • 111
  • 2
  • if going for obscurity as your security, i noticed SHA3 didn't have GPU support in JTR... – dandavis Aug 08 '16 at 20:07
  • I'm looking to guard against spammers harvesting addresses. And this service will run for about a year at most, so I'll purge the database after that. – ItsTimmy Aug 11 '16 at 21:37

2 Answers2

1

You could create a global salt for your application (not stored in the database, but in the code itself.) and use a rather weak hash since you're not really aiming for amazing security. For example:

$globalSalt = 'ilovebananas123';

Now, on registration it will look something like this:

$email = $_POST["email"];

$emailHash = sha1($email . $globalSalt);
// search the database for this hash.
// if no result was found, the email is unique!
Tom
  • 890
  • 1
  • 7
  • 14
0

For example, when using Cloud infrastructure:

  1. You'd use AWS Lambda or Google Functions to have function to check the email

  2. You'd create isolated collection of data like DynamoDB, Google DataStore or anything which fits your usage scenario

This way you have it isolated from the rest while keeping the price down. This is very good model as you have it very fast, secure and very cheap.

If you do not use cloud, you'd simply create EmailChecker service which you can access via API, and then you create Emails database to which only EmailChecker has access. You can use small virtual machine to provision it. It would have policy allowing for running of the service only (apart from the OS). And then the database or the collection would have dedicated credentials.

So if someone hacks into your application via SQL injection, and manages to dump it all, there won't be email addresses as you can make sure that your EmailChecker service has no SQL Injection and accepts only well formatted HTTPS requests as well it has no things like serialization built-in the HTTP handlers.

Aria
  • 2,706
  • 11
  • 19