Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best and safest way to store user email addresses in the database? [closed]

From security reasons, is it worth encrypting user emails before putting them into the database?

I know we hash and salt passwords but that's another story as we do not really need password originals. With emails it is different.

Knowing that the decryption key will anyway be somewhere close to the database, does it make sense to encrypt emails? I suppose if someone gets into the system, they will find the key as well, if not immediately then eventually.

What are the best-practices? Are there any other options available if I run my own servers and not on a shared/virtual hosting?

EDIT: I intend to use SQL Server. And no, it is no corporate software with security requirements, just some entertainment site I have in mind.

like image 231
User Avatar asked Apr 20 '09 07:04

User


People also ask

Should I encrypt user email addresses in database?

From a privacy and data security point of view, storing an email address encrypted is the best solution. However, as mentioned, you cannot encrypt the email with a strong key derived from a user's password because that would prevent you from decrypting it to send emails.

How do I store email content in a database?

Suggestion: create a well defined table for storing e-mail with a column for each relevant part of a message: sender, header, subject, body. It is going to be much simpler later if you want to query, for example, by subject field.

Which data type is the most appropriate to store an email address?

VARCHAR is the best data type to be used for email addresses as Emails vary a lot by length. NVARCHAR is also an alternative but I would recommend it to use only if the email address contains extended chars and keep in mind that it requires double amount of storage space as compared to VARCHAR.


3 Answers

If you're going to need the email address in the future, then you'll have to store them in plain text.

You could encrypt them, of course, however, this is effectively security through obscurity in this case. Basically, if your application's perimeter is secure, your data within it can be plain text. Encrypting here adds complexity to you working with the data, but doesn't really stop an attacker from getting your raw data.

As you say, if he gets through your perimeter defenses, he's likely to easily get your decryption key to decrypt the email data. Encryption may slow down the determined attacker slightly, but will not add any real security to your data.

The best scenario is to hash the email address (with salt!) and store that. This allows you to check the email address against an input value (for example) and verify that the email address input is the same as what you have stored, of course, the major downside for this is that you can't know what the email address is without that additional value, so if you're wanting to (for example) regularly email your users, you'll be out of luck.

I suspect you're storing the email address because it's useful data, and you will want to do something with it (like send an email :) in which case, encrypting just adds overhead to working with that data, whilst gaining very little in return.

In this case, I would focus on securing access the database itself (i.e. your "perimeter" defenses) and ensure they are as strong as can be, whilst leaving the data in the database in plain text.

like image 99
CraigTP Avatar answered Oct 09 '22 08:10

CraigTP


Hopefully this answer will answer your question as well.

Is it worth encrypting email addresses in the database?

In short, no, it is not worth encrypting user email addresses. You're right in thinking that a database compromise will likely result in somebody also gaining access to the keys required to break your encryption.

like image 23
Brett Bender Avatar answered Oct 09 '22 10:10

Brett Bender


In general I agree with others saying it's not worth the effort. However, I disagree that anyone who can access your database can probably also get your keys. That's certainly not true for SQL Injection, and may not be true for backup copies that are somehow lost or forgotten about. And I feel an email address is a personal detail, so I wouldn't care about spam but about the personal consequences when the addresses are revealed.

Of course, when you're afraid of SQL Injection then you should make sure such injection is prohibited. And backup copies should be encrypted themselves.

Still, for some online communities the members might definitely not want others to know that they are a member (like related to mental healthcare, financial help, medical and sexual advice, adult entertainment, politics, ...). In those cases, storing as few personal details as possible and encrypting those that are required (note that database-level encryption does not prevent the details from showing using SQL Injection), might not be such a bad idea. Again: treat an email address as such personal detail.

For your entertainment site this is probably not the case, and you should focus on prohibiting SELECT * FROM through SQL Injection, and making sure visitors cannot somehow get to someone else's personal profile or order information by changing the URL.

like image 36
Arjan Avatar answered Oct 09 '22 09:10

Arjan