Databases being Sold for Email Addresses!

[Echelon One]

Hi,

I would like to put forward a proposal to IPS, and how email addresses are stored within the database, which is like any other forum software these days.

What concerns me is many people leave sql dumps in their webroots, while others get attacked not via the forum script but other means, and usually security holes found in scripts. This leads me on to my main concern, email addresses.

I have seen on numerous forums over the years where people are selling databases, whereby they are farming the databases for email addresses, and depending on the number of accounts available depends on how much they can get. Course they do not make much, some sell for as little as $5

[AndyF]

Its an interesting idea :)

Although I do think one of the primary reasons a database would be stolen would be to harvest all the emails unfortunately.


Although I think you can never be 100% secure, only 99.9% (assuming your host keeps your server up to date and patched appropriately) , leaving database dumps out in the open in the webroot is asking for trouble. :)

I do like your idea though generally, I will admit.

[Charles]

Unlike your password which can be hashed using a one-way method, the software must be able to read your email address. This means it would need to be encrypted in a way that can be decrypted through the software.

If a server is compromised enough to download a database one assumes that an attacker could also get the salt used and easily look at our source code to see how the encryption was done. The attacker could then decrypt the emails in the exact same way the normal running of the software does.

My point here is that you would be introducing a false sense of security.