
Ask HN: Should I delete passwords/email addresses for inactive users? - StartupTree
I run a website with circa 100,000 users. Most have not logged-in for over a year.<p>For security, should I delete the password and email address of inactive accounts, in case I get hacked? I want to keep the account usernames and the content they have created.<p>If yes, is a year a reasonable cutoff date? Is there best-practice guidelines regarding this?
======
lucb1e
Interesting idea. Data hygiene is refreshing, I like the change from the
"collect everything" attitude. (My company also deletes old data from b2b
customers to avoid leaking it in case of a breach - we're an IT security
firm.) Still, it's not a common practice yet and it's hard to accurately judge
the odds that any of the protections will ever pay off. But kudos to anyone
who does it! Even as a security consultant, this is not something I regularly
get to think or advise about, so I don't have any standard or well thought out
answer. I'll just share some thoughts :)

Users may be annoyed at having to reset the password or create a new account
(if you remove their email address). Depending on the type of business (porn
site vs random forum), this may not be worth it or you might want to vary the
amount of time (shorter for a sensitive website than for a random forum).

Against credential stuffing, it would be helpful to look at the last login
date and require email confirmation after they didn't login for ?6? I months
and/or if there have been an unusually high number of invalid logins on the
platform in the past 48 hours.

Against data being stolen from your database, strong hashes are really key.
You could apply ten times the cost factor (assuming a linear cost factor; for
bcrypt this would be +3 or so) for users that didn't login in the past few
months. They'll have to wait a second (you could even show a loading screen if
you apply some serious hashing) upon relogin but it can be fast again after
that (if you store the quicker hash after a new login). Removing the password
is even better, but the annoyance factor is probably weighed in for your
business case. Maybe after a few years, this would be worth it (for an
average, not high-security, website).

If the email address is the username, you could also hash the email address
(with a slow hash, just like the password, though you can't salt it for
indexing reasons), since the user enters the plaintext on login anyway. This
way, an attacker has a really hard time recovering it if they don't already
have it (in which case it probably doesn't matter much anyway). I guess this
doesn't work for mailing lists, but those could be kept on separate systems.

The parameters (after how long you apply which protection) additionally depend
on how commonly users return after not logging in for a while. A shop might
have a return customer after a year for infrequent / niche purchases, but a
random blog probably sees many more completely abandoned accounts.

Hope this helps! And kudos for giving this some thought :)

