Hi, I’m interested in using discourse for a whitelisted, anonymous discussion board.
Is it possible to hash the emails stored in the database right after it’s verified?
I understand this means that if the user forgot his/her password then it can’t be recovered.
Thank you.
What do you mean? The passwords are already hashed in the database. Read the security.md doc in our github repository.
Hi Jeff, thanks for the reply. What I meant is not just hashing the password, but the emails as well. So even as the website/forum owner, we don’t know which emails the users use after it’s been verified.
I guess what we want to achieve is similar to https://www.teamblind.com/
That… doesn’t make any sense, because we need the email to send emails. Which you do on “forgot password” and signup, if nothing else.
I agree that one of the consequences would be that “forgot password” wouldn’t be working. As for signup, we thought of only keeping it until it’s verified, then we hash it.
We want to know as little as possible about our users, aside from the initial email domain whitelist.
That’s the idea we have right now haha
Not possible and we have no plans to do it. Email is central to identity in Discourse. You could maybe use invalid emails to sign up, but I have no idea how you’d confirm your signup via email in that case 
Yes, invalid emails wouldn’t work either.
Thanks a lot for the replies, Jeff.
You could create and manually activate users with intentionally invalid email addresses, disable all email globally in the site setting… people would be out of luck if they ever forgot their password, though. Each and every signup would require manual activation by staff.
I see, I guess that’s an option.
We do want to verify the email domain though.
Thank you.
We’ll also explore other ways to achieve the goal.
Cheers 
what about signing in with 10 minutes mails ?
We do want to limit registration from whitelisted email domains. Using temp emails doesn’t work for that purpose.
But wouldn’t that bring the greatest secrecy? The user must remember his email, or else.
People would sign up with their real email address and then change their address to a temporary one.
That means log entries at mailgun or similar for the original email, so not anonymous.
Agreed, but we still need the initial filter that the user originated from a certain group. We want to verify their work email.
Hm…that’s definitely something to consider. Seems like it’s doable. Thanks for the input!
Agh…that’s true…
You should use SSO, then you can handle authentication outside Discourse and do whatever you want, and return invalid emails back, since your app will handle authentication.
Very interesting.
This might be beyond me for now, I’ll need to consult with my partner.
Thank you!
How about relying on an anonymous email service like Protonmail ?
The issue is that we want to confirm that the users only come from whitelisted work email domains.
So you want to identify users by email, but not use email thereafter?
Are you worried about the users being identifiable due to the content being discussed?