security of email addresses in database

[IndynewToPhp]

I'd like to add a bit of security to my stored email addresses.  I am thinking of using mcrypt to do this. Is this a good idea?....or... Are there negative consequences of this I am not thinking of?

 

Goal is to prevent at least "trouble free" phishing of my email list if the database is compromised.

 

Thanks

[WolfRage]

I think it is a very good idea, except that you have to protect the key or else it will have been a fruitless effort. Also you have to weigh the benfit with the cost of trying to access a email address for use. It will now take at least twice as long becuase each email must be decrypted before it can be utilized.

[Daniel0]

I don't think it's worth it, TBH. It's not like an email address is particularly sensitive information. Just get a good spam filter. I get some 1500 per month, but they're all caught.

[WolfRage]

I agree with that as well as far as individual responsibility, and between g-mail and thunderbird; I have no spam issues, but if he wishes to protect the emails any way, just to show he is protecting individual privacy, it is a feasible route.

[IndynewToPhp]

Daniel0,

 

I guess one part of me agrees with you...but  the other part has this concern: If my database is compromised, it is much easier to send a phishing email regarding my website because that is where the email was found. In other words, someone could send an email (albeit fake) to the people in my database saying "Hey we want to update our info, send your SS#, first borns name, banking account info..." blah blah blah and have it look like it came from my website. The person receiving the email knows they've signed up on my website...thereby making it all the more believable.

 

Yeah, it seems as though the receiver of such an email should know better but it may be better to prevent it from happening (or at least attempt to make it not so easy)...in the first place.

 

I more than welcome dissenting thoughts on this!

[IndynewToPhp]

Does anyone have additional advise on this or comments...if not...I guess I will implement it.

 

I also wonder if storing a persons maiden name is a good idea or not? Is there any security issue/identify theft issue there as well?

[ToonMariner]

Have you considered normalizing your storage of emails?

 

I split the email address into its local and domain parts... you can store the the domain part as normal but can then encrypt the local part. e.g joe@bloggs.com...

 

in my user table i store 'joe' in `email_local` and 1 in `domain`. then just have an association table to mach 1 to 'bloggs.com' - advantage of this is most people will have hotmail gmail etc so you cut down the amount of data stored significantly.

 

You still have the encryption to do - I'd leave that to mysql - use the aes_encrypt and aes_decrypt functions in your query - this should' be more efficient than decrypting the results in php.

 

so what you will end up with in should someone gain access to your database is a table full of domain names that they can read and a field in your user table with the local part of the email encrypted.

 

you will always have to pay for encryption/decryption but reducing the amount of data you are encrytping should always help.  Other may have better options but what I've suggested above is what I do - I'd love to improve so hopefully someone will have a better plan!!

[WolfRage]

Brilliant, at first I was like, nah that wouldn't do that much good, but holly crap; it is a signifigent reduction in size.

[Daniel0]

Size is not your only concern in software engineering. Factors such as development time, code complexity, and performance are important as well.

[ToonMariner]

Daniel is correct in that In this case there is no extra hit on your code IF you let the database manage the encryption - I very much doubt you will see a significant performance hit on this.

 

only point i would make here is that you sould use a class tomanage this and encrypt that file too (with zendguard or ion cube) so that your encryption salt is not available if they get ftp access too!

[Daniel0]

Daniel is correct in that In this case there is no extra hit on your code IF you let the database manage the encryption - I very much doubt you will see a significant performance hit on this.

 

No, not in your script, but the database server will most certainly take a performance hit.

 

If you for instance encrypt the email address then you will need to store it in a BLOB, but this means you cannot make any indexes, so if you have like one million rows and need to find the user with a particular address then you'll need to check every row, which will most certainly be slower than selecting from an indexed row.

[ToonMariner]

of course there will be a hit - but thats the trade off - if you need encryption then you need encryption.  with the hardwae today that hit is not 'that bad'.

[corbin]

ToonMariner, you way overestimate servers.  Also, just because something "can do it the slow way," doesn't mean that it should be done the slow way.

 

 

Lets say you have a popular site with email searching capabilities.  Now, lets say that there are 0-10 concurrent email address searching queries.  That will kill MySQL.  (Well, not literally kill, but MySQL wouldn't like it much.)