Is using email hash as user id a good solution to ensure anonymity?

833 views Asked by At

Imagine you want to create a "secure" messaging app which must comply to:

If someone has access to server databases, he/she can not identify the user from the field your using to substitute the normal username / email.

This solution seems interesting.

But I wonder:

  • If there are any better (more secure) alternatives
  • What hashing mechanism one should use
1

There are 1 answers

1
Chris Shain On

Not really. Hashes are good for hiding secret information, like passwords. For information like email addresses, which are usually quite easily guessed/googled, an attacker could easily pre-generate a huge list of hashes for a database of email addresses and quickly use a reverse lookup to find out if a given hash (on your system) matches up with one of the addresses in the database. That's putting aside the fact that hashes are not unique, which probably isn't a problem with a big enough hash address space.

Generally, if you want anonymous IDs, you should use randomly generated ones.