My problem is not that I can't save emails to a database. Anybody can do that. Here is my question:
When a user makes an account on my website, they get an ID, User, Password, and Email address data. For the password I hash it so that if somebody hacks my website they wont see the real passwords. However, isn't having a bunch of email addresses saved, unprotected (like the users) a security risk?
I have never made a login system website before, and want to know if everybody else just leaves the email address unprotected in the database. (In other words, is it common just to save an email address to database as-is?).
Thanks.
Usernames and email address do not have the same sensitivity as passwords.
Passwords should be secured (hopefully with bcrypt) because if Alice has used the same password on Bob's Things as she has on Gmail then any attacker gaining access to the database on Bob's Things will then not be able to gain access to Alice's email account (nor those of the the other 10,000 users that regularly buy Bob's things and reuse passwords).
The email address cannot usually be hashed like passwords. If your system needs to send the user an email, it cannot do this if the email is stored in hashed form.
Plus there is less stuff an attacker can do with just the email address. Yes they could send phishing emails to your users, or they could try and password guess to gain access to accounts, however the complexity of securing the email address regarding its server-side storage is often not worth the effort.
You would be better off ensuring the interface to this database (i.e. your application and supporting infrastructure) is properly secured rather than trying to encrypt the email addresses within the database. Even if they were encrypted, key management then becomes the problem. Bottom line, the best you can do is secure your application against user enumeration if you want to protect people's email addresses from being easily discovered.