I'm creating a MySQL database with registered users, and I'm thinking to use md5 not only for passwords but for e-mails too.
I think this choice can improve user security, but I'm n开发者_StackOverflow中文版ot yet an expert with databases and I'm not sure if this is wise or not!
I hope this isn't a stupid question!
Do you not want to be able to get the email addresses back later on, such as to email them with news of an update? Hashing is a one-way process.
Using a hash for the email address would work in terms of the user entering their email address to get a new temporary password, in that you would have the address right there and then - but if you needed to email them later, you wouldn't have the information any more.
If you store the emails as MD5 digests, you can't email your users anymore...
MD5 is one sided - it cannot be revered. For passwords, this is desireable - no one can figure out the password.
For emails, not so much - you will not be able to send emails to your users, only confirm it is the same as previously entered.
You should not only MD5 your passwords, but add salt value and hash resulting password multiple times, then save salt and hashed string in database. That way it will be harder to guess original password - it's not about your security (cracker can bruteforce passwords same way, but it'll be a little slower, which is good), it's about users security. Many of users use same password in multiple sites. More info in http://www.codinghorror.com/blog/archives/000953.html
You can use a one way hash like MD5 or SHA-2 to sign a message to make it harder to forge or alter, but there's no practical way to convert the hash back into a message.
精彩评论