-2

I'm currently using sha1 (I don't need to know email addresses of my users, but they are used on my website in a login form, users must type e-mail and password to login), however I don't know how sha1 behaves with upper case letters and dots as I assume some e-mail service providers are case sensitive, so for example I might have two users with same e-mail address but with different upper cases.

Sorry for bad English.

Does sha1 correctly encrypt dots and upper case letters? Is there a better encryption for e-mail addresses? What would you suggest me do?

Saul Tigh
  • 177
  • 8
  • Possible duplicate of [Is SHA-1 secure for password storage?](http://stackoverflow.com/questions/2772014/is-sha-1-secure-for-password-storage) – Panda Mar 13 '16 at 01:37
  • thanks, though I couldn't find anything about case sensitive or e-mails on that link :/ – Saul Tigh Mar 13 '16 at 01:40
  • 1
    While email addresses in theory *might* be case sensitive, I'd argue that 99% are not. So the question could rather be if you really want to force your users to use the exact same case every time - as neither user names nor email addresses are widely considered to be case sensitive (IMHO). In all cases, sha1 can handle it - a cryptographic hash function which only works on a subset of characters is basically worthless. – Marvin Mar 13 '16 at 01:42
  • 2
    if email=username dont encrypt it at all, just the password –  Mar 13 '16 at 01:45
  • @Dagon I have cookies that store e-mail address. Do you think I shouldn't encrypt it even though it's stored in a cookie? What about sessions? – Saul Tigh Mar 13 '16 at 01:51
  • 2
    i dont see any real point in encrypting email addresses. –  Mar 13 '16 at 01:53
  • 1
    emails are not case sensitive. don't use SHA-1 for hashing, it is no longer considered secure. Use a SHA-2 or SHA-3 variant. – dbugger Mar 13 '16 at 02:12
  • 2
    SHA is not encryption, it is a one-way cryptographic hash. Use at least SHA156. – zaph Mar 13 '16 at 02:15
  • 2
    @zaph: Don't you mean 256? – Eric Mar 13 '16 at 05:56
  • Yes, typo: SHA256. – zaph Mar 24 '16 at 14:25

2 Answers2

2

Email addresses are not case sensitive, so you should never be in a situation where two users have the same email address with different capitalization.

To make sure your hashing always works even when capitalization changes for the same user, your best bet is to convert the email address to lower (or upper) case before hashing.

Depending on your reason for doing this, I would also change to a newer variant (SHA-2 or SHA-3) as recommended by others and/or look into Digest Authentication as mentioned by @Object Manipulator.

Ben Holness
  • 2,457
  • 3
  • 28
  • 49
0

I don't think it's a very good idea to encrypt the email address field. Usually, it's the password field that needs to be hashed.

However, if you're willing to make your application a lot secured, you could try the Digest Authenticate technique. Here, a combination of username and password is encrypted, along with other server variables.

You may wanna check this out: DIgest Authentication

Hope this helps.

Peace! xD

Indrasis Datta
  • 8,692
  • 2
  • 14
  • 32
  • Why do you think it's not a good idea to encrypt the eamil addresses? Sorry, I don't know much about encryption/cryptography so I'm really curious about the reasons why I shouldn't encrypt them. What are the downsides of encrypting email addresses? – Saul Tigh Mar 13 '16 at 09:01