Why are emails not commonly hashed when stored in db?

Question

With almost weekly news about databases being pilfered I am wondering why only passwords are hashed and not emails too? To be clear, I mean hashed with a static salt, which is stored somewhere other than the database.

Obviously, it's just one step among many. But as part of a multi-faceted security setup (ie - PDO, not rolling your own hasher, rate limiting, etc etc) why is it not more common to hash the email? Regarding logins (+ password reminder emails, etc) you could simply do a regular compare. Surely user emails should be treated more respectfully?

I have read a number of similar questions on SO / sister sites but am really unconvinced as to how this is not an idea that should be adopted more frequently?

How do you plan on sending an email that has been hashed? I think you are missing one critical step, you should be looking up what hash is, it will answer the question for you. — Adam Buchanan Smith, May 06 '16 at 17:55
See also: [Fundamental difference between Hashing and Encryption algorithms](http://stackoverflow.com/q/4948322) — mario, May 06 '16 at 17:56

score 4 · Answer 1 · answered May 06 '16 at 17:52

4

Because you usually need to be able to read the email address at a later date. Not just verify its value.

Passwords are not used for anything but validation so you don't need to know it's actual value so long as you have a way to validate that value. Comparing hashes allows you to do that.

Emails addresses are actually used for something. Like, sending emails. You can't do that unless you can actually read the email address.

answered May 06 '16 at 17:52

John Conde

217,595
99
455
496

1

*Aye, true John.* However, they can always encode/decode it, but that's just way too much work for nothing really. – Funk Forty Niner May 06 '16 at 18:13
1

@Fred-ii- Exactly. Unless for some reason those email addresses are senstivie, and that's a reach, encrypting them is unnecessary overhead. – John Conde May 06 '16 at 18:19
I agree John. I was thinking of the same sorts a few weeks ago and glad that I talked it over with a mutual friend of ours and made me "see the light". I quickly abandoned the idea. A mere *1 minute of thought* saved me *hours of work* ;-) – Funk Forty Niner May 06 '16 at 18:21
I think I was using the incorrect terminology (hashing vs encryption) - my mistake. Regardless, I am not convinced. To answer the question of how to send an email - you do not send an email unless the one entered (ie, on my email form) matches the encrypted entry in the db (ie via password_hash). As to the question of "why bother" - because I believe that emails are hugely private and sensitive bits of info that should be secured. – Appl3s Jun 09 '16 at 17:24

Why are emails not commonly hashed when stored in db?

1 Answers1