Imagine you want to create a "secure" messaging app which must comply to:
If someone has access to server databases, he/she can not identify the user from the field your using to substitute the normal username / email.
This solution seems interesting.
But I wonder:
- If there are any better (more secure) alternatives
- What hashing mechanism one should use
Not really. Hashes are good for hiding secret information, like passwords. For information like email addresses, which are usually quite easily guessed/googled, an attacker could easily pre-generate a huge list of hashes for a database of email addresses and quickly use a reverse lookup to find out if a given hash (on your system) matches up with one of the addresses in the database. That's putting aside the fact that hashes are not unique, which probably isn't a problem with a big enough hash address space.
Generally, if you want anonymous IDs, you should use randomly generated ones.