tags:

views:

512

answers:

8
+4  Q: 

What is the best and safest way to store user email addresses in the database?

From security reasons, is it worth encrypting user emails before putting them into the database?

I know we hash and salt passwords but that's another story as we do not really need password originals. With emails it is different.

Knowing that the decryption key will anyway be somewhere close to the database, does it make sense to encrypt emails? I suppose if someone gets into the system, they will find the key as well, if not immediately then eventually.

What are the best-practices? Are there any other options available if I run my own servers and not on a shared/virtual hosting?

EDIT: I intend to use SQL Server. And no, it is no corporate software with security requirements, just some entertainment site I have in mind.

+9  A: 

Hopefully this answer will answer your question as well.

Is it worth encrypting email addresses in the database?

In short, no, it is not worth encrypting user email addresses. You're right in thinking that a database compromise will likely result in somebody also gaining access to the keys required to break your encryption.

Brett Bender  2009-04-20 07:47:41
I've seen this one but it seemed to be quite narrow. I'd like to hear any thoughts with regard to email security.
User  2009-04-20 07:49:48
Sometimes a server break-in only allows the attacker to see the database content itself, sparing the key, and therefore protecting the data. It would be ludicrous, though, to count on that being the case.
tylerl  2009-04-20 07:54:00
I would have to agree with others answering this question then. Most email addresses are spammed to high heaven regardless. Ones that aren't usually have spam-blocking in place, and no amount of encryption will save users if their password is "password" and somebody finds their email address. I would follow @MaxVT's advice though and sanitize/validate email addresses. Using database-wide encryption like @zoomzoom83 suggested is also a good idea if you're still concerned about security.
Brett Bender  2009-04-20 07:54:52
I wouldn't consider spam the real problem when revealing email addresses. Often an email address is really a personal detail, identifying the user. Database-wide encryption is only useful when SQL Injection is taken care of, like it should be, of course.
Arjan  2009-04-20 09:58:59
+1  A: 

Depends on how often you access the addresses. If you read them once in a while, it might make sense, but this would be one of the last security issues I would spend time on.

soulmerge  2009-04-20 07:47:52
+1  A: 

I do not encrypt user e-mails. The point is to protect the database; the keys are accessible anyway if you actually want to use the e-mails once they are stored.

Do check the address for validity and possible SQL injection, though.

MaxVT  2009-04-20 07:48:07
+1  A: 

If the application server and database are on separate servers, it would generally increase security to have all or parts of the database encrypted.

Even if they are on the same machine, a hacker may not figure out where your password is stored (although I wouldn't rely on that).

I generally wouldn't encrypt the emails at the application level, instead relying on database-wide encryption offered by most enterprise databases.

Of course if you're using something like MySQL, then you have no choice but to do it at the application level.

I normally tell my clients it isn't worth the trouble encrypting a database, however if you have stricter privacy requirements it may make sense to do so.

Zoomzoom83  2009-04-20 07:49:23
+1  A: 

I think that when people can come in your database you are anyway screwed :)

It doesn't make a lot of sense to just encrypt your email addresses. Beside that there will be a lot of other information in your database that you would not like to be gathered, the decryption key will be indeed within reach at the same time your database is open.

I would like to suggest to find your layer of security and data integrity on a higher level. So the prevention of people entering your database.

And why would email addresses be so important? Most people will anyway get spam or their email addresses will otherwise be available somewhere on the web.

Peter Smit  2009-04-20 07:49:41
+1  A: 

Encrypting database content is always a tricky consideration. Clearly the content is useless unless it can be unencrypted, and if that has to happen without human intervention, then you're storing both the cyphertext AND the key somewhere. If that somewhere is on the same machine, then one might wonder why you even bothered.

Well, there's a few reasons why you might want to do this. One is because you're required to do so because of some company policy. Another is that perhaps your database is housed in a more hostile environment than that machine that accesses it.

In general, encrypting database content isn't going to win you any awards, but if you can justify it, then you clearly have at least some motivation to do so.

tylerl  2009-04-20 07:51:45
+2  A: 

If you're going to need the email address in the future, then you'll have to store them in plain text.

You could encrypt them, of course, however, this is effectively security through obscurity in this case. Basically, if your application's perimeter is secure, your data within it can be plain text. Encrypting here adds complexity to you working with the data, but doesn't really stop an attacker from getting your raw data.

As you say, if he gets through your perimeter defenses, he's likely to easily get your decryption key to decrypt the email data. Encryption may slow down the determined attacker slightly, but will not add any real security to your data.

The best scenario is to hash the email address (with salt!) and store that. This allows you to check the email address against an input value (for example) and verify that the email address input is the same as what you have stored, of course, the major downside for this is that you can't know what the email address is without that additional value, so if you're wanting to (for example) regularly email your users, you'll be out of luck.

I suspect you're storing the email address because it's useful data, and you will want to do something with it (like send an email :) in which case, encrypting just adds overhead to working with that data, whilst gaining very little in return.

In this case, I would focus on securing access the database itself (i.e. your "perimeter" defenses) and ensure they are as strong as can be, whilst leaving the data in the database in plain text.

CraigTP  2009-04-20 07:53:16
+3  A: 

In general I agree with others saying it's not worth the effort. However, I disagree that anyone who can access your database can probably also get your keys. That's certainly not true for SQL Injection, and may not be true for backup copies that are somehow lost or forgotten about. And I feel an email address is a personal detail, so I wouldn't care about spam but about the personal consequences when the addresses are revealed.

Of course, when you're afraid of SQL Injection then you should make sure such injection is prohibited. And backup copies should be encrypted themselves.

Still, for some online communities the members might definitely not want others to know that they are a member (like related to mental healthcare, financial help, medical and sexual advice, adult entertainment, politics, ...). In those cases, storing as few personal details as possible and encrypting those that are required (note that database-level encryption does not prevent the details from showing using SQL Injection), might not be such a bad idea. Again: treat an email address as such personal detail.

For your entertainment site this is probably not the case, and you should focus on prohibiting SELECT * FROM through SQL Injection, and making sure visitors cannot somehow get to someone else's personal profile or order information by changing the URL.

Arjan  2009-04-20 09:28:53

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security