Cybersecurity

8567 readers

61 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago

MODERATORS

kid@sh.itjust.works

Lanky_Pomegranate530@midwest.social

Is it fine if a website says "email already in use" before you hit submit? (lemmy.world)

submitted 2 months ago by Jankatarch@lemmy.world to c/cybersecurity@sh.itjust.works

42 comments fedilink hide all child comments

I remember hearing before that it's a sign they are storing your info unencrypted but I never checked.

Is this true? I was logging into a .gov website and noticed it does that.

you are viewing a single comment's thread
view the rest of the comments

[–] IHawkMike@lemmy.world 9 points 2 months ago (15 children)

I don't think many places encrypt/hash email addresses, but even if they did they could just apply the hash algorithm to what you entered to compare the hashes.

[–] joshcodes@programming.dev 1 points 2 months ago (13 children)

So ultimately hashing an email address could be a good thing, but its a matter of half measures. Sure, you can perform a basic hash before putting it in the database, but if we assume hashing is performed to prevent it being read by an attacker, why bother unless youre doing it properly?

Passwords, being more sensitive, should only be compared once finished being entered, so you can afford to run all the hashing, salting etc that is a requirement to keep the passwords safe.

If you were going to hash the email to the same standard, it becomes harder to retrieve and display, so when the user wants to look at their profile in the ui, you have to run an intense cryptographic algorithm just to display the email. Or if you want to contact the customer, or any other use for their email. Hence, people dont bother.

[–] CameronDev@programming.dev 8 points 2 months ago (1 children)

Hashing is completely irreversible. You cannot hash an email address and then unhash it. At most you can brute-force guess the email until the hash matches, but this is basically impossible.

Hashing the email address would break one of the main reasons to use an email address - the ability to send emails to users.

Encrypting email addresses is fine, but you wouldnt compare the encrypted data, you'd just decrypt and compare the original email address.

[–] joshcodes@programming.dev 2 points 2 months ago

Man, youre totally right and I now feel embarassed i forgot that.

load more comments (11 replies)

load more comments (12 replies)