Do you know if Devise is providing a feature to store the email hashed in the database?
If this is the case, what are the drawback using this feature?
The two I can think of are:
-
will not be obviously possible to see the email on the edit “screen” (except the [theoretical] case where the email would be stored using symmetric encryption instead of the standard one).
-
if the salt is (for any reason) compromised and need to be changed, plan a recovery strategy would be a tough job (rather than just force the users to change the password at the next login). However, I think this is doable.
thanks,
Not quite answering the question, but I want to raise the point that you don’t want to hash the login value. Symmetric encryption, maybe. Salted? No.
Why not? Your login system has to find the correct record for the person who is trying to log in. This means you have to hash/encrypt the value and compare with other hashed/encrypted values. A salt would kill chances of doing that in one go, and you’d have to run a table scan each time. Also, you would have nothing but probability to guarantee that two people’s logins don’t have a hash collision.
Using a single salt for the entire application kills the whole purpose of a salt, so there is no reason for using one. However, if you wish to do so, then it solves the comparison problem.
But you are still left with the problem that you can have collisions. The probability is low but nonzero, and as you get more users the Birthday Effect will come into play and you very well might get a problem.