Is it worth encrypting email addresses in the database?

Question

I\'m already using salted hashing to store passwords in my database, which means that I should be immune to rainbow table attacks.

I had a thought, though: what if s

Answer 1

In common with most security requirements, you need to understand the level of threat.

What damage can be done if the email addresses are compromised?

What's the chance of it happening?

The damage done if email addresses are REPLACED could be much greater than if they're EXPOSED. Especially if you're, for example, using the email address to verify password resets to a secure system.

The chance of the passwords being either replaced or exposed is much reduced if you hash them, but it depends what other controls you have in place.