[ahomeDesk]

We saved the encrypted version to enable password reset. When you reset your password we send an activation code to the email you signed up with (We don’t save that email ). To reset your password you need to enter that email. We encrypt the value on the client and compare it we the value we have on our server. To make sure it s really you But at any time we don’t have user emails stored on our system. So If someone gets access she will never see emails in clear text. And most importantly we will never send users marketing emails. Only registration and password reset emails. We want to know as little as possible about our users.

[ralfk]

Informations we store [...] Hashed value of your email

okay, so you can easily make a rainbow-table and thus your users are not anonymous anymore + if someone has your database and want to know if email@email.com has an account one can easily find that out, even without the need to bruteforce all emails. Btw. in this case it makes absolutely no difference if you or the client computes the hash ;)

[stubish]

You are assuming a lack of salt when the client hashes the password.

[ralfk]

You are right, in this case he can use a salt for the hash - my second point is still valid though, but I guess that is fundamentally so if you want to use passwords

[ahomeDesk]

While there is no 100% secure system, we are working very very hard to make our system as much secure as possible.

[ralfk]

Okay and how do you choose the key for the encryption? If it is the same for all users (which from what you said it kind of has to be?) you could just decrypt it?

[BoorishBears]

A hash of the email stored then compared to a hash of the email sent during reset

[ahomeDesk]

Exactly. This is the main idea behind Dikalo. Your private stuff belong to you. We are only interested in sending your messages. This is why you can use Dikalo without even siging up