When users register, should I store their email in the db as is or hash it. I want to be able to decrypt it later, so should I use md5?
thank you!
When users register, should I store their email in the db as is or hash it. I want to be able to decrypt it later, so should I use md5?
thank you!
No, md5()
- is one-way hash function. You can't decrypt its value. Usually it used for passwords which don't need to be decrypted. Instead you compare hashes like:
$salt = "adding some secret to increasse security";
if (md5($user_password . $salt) == $user_password_hash_from_db) {
## password is ok
}
If you want to be able to decrypt your value, then use crypt
php function instead. But it may require additional modules to be installed.
Any way I don't see any practical reason to crypt email.
It's not common to encrypt email addresses. If someone really want to keep their email private, they wouldn't give it to your site in the first place :)
MD5 is an hash, which makes it allmost inpossible to get the original value back. You should use an encryption instead of an hash if you want to get the email back.
I agree that emails are a (minor) information security issue, since that becomes personal information that you've let out into the world if someone gets access to your database, but you'll be wanting a two-way encryption/decryption method to be able to pull the emails back out, as Ivan has mentioned.
Just be aware that basic MD5 hashing is no longer a secure hash.
As wikipedia says in many different ways, no longer secure ( http://en.wikipedia.org/wiki/MD5 ):
US-CERT of the U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use,"[7] and most U.S. government applications will be required to move to the SHA-2 family of hash functions by 2010.[8]
I think one major problem with it is that there are rainbow tables of md5 hashes all over these days, so bare md5 is very susceptible to brute forcing.
Consider it a useful tool for minor obsfucation and sanitizing complex data sets, but it is not a truly secure hash any more. There may be special hoops that you can jump through like both using a salt and performing nested md5 hashings to make it more secure, though I'm no cryptographer. You might want to check out other SO threads like this one for good overall encryption solutions.
md5 isn't an encryption method it's a one way hash. There's no reason to encrypt email addresses in the database. I would leave them as is.
If you intend to decrypt them later,MD5 won't be an option, since it only hashes strings, you lose the original data.
I suggest you try some of the built-in PHP encryption functions for that.
The other answers say it all.
However, you should always encrypt hash passwords with at least md5() and a salt, as pointed out in Ivan's reply.