By hashing, do you mean current best practice (bcrypt, scrypt, or possibly a pbkdf with high work factor), or something easily brute forced like MD5 and SHA1. There are issues with migration if you're doing the latter, but not a big deal.
Do you have any contractual recourse against the chat provider? Have you considered including such terms in future contracts with partners?
Do you have a security audit firm? There's plenty of value to in-house audits, but some kind of independent audit is probably a reasonable choice. You probably don't have PCI concerns (it's free, right?), but users might feel better about privacy otherwise. Just the existence of an account for a given user is probably an issue for some people, so even foolish things like using the same username on a porn site as on other sites could be a leak -- being able to verify that myhusbandinvirginiasportsfan is a valid user account on youtube would potentially make a divorce attorney very happy.
Would you answer general questions about the site/business, too? The whole porn tube thing seems like a big change in the industry (I was at SHOT Show in Vegas a few weeks ago, and stopped by the concurrent AVN event -- they really hate the tubes). I'm especially curious how you feel about the meta-tube sites (e.g. fantasti.cc) which seem to blatantly scrape youporn (and other tube) content. Preroll ads still show, but nothing else.
We are currently in very close discussions with the 3rd party. In our official statement we purposely did not name them, we don't want to throw them under the bus. Of course we are reviewing all obligations.
We do deal with multiple security firms, and we regularly do security audits (both white and black box audits). We also deal with PCI, because we have paying sites as well, like Brazzers.
We can talk about the industry in general another time, but obviously we believe all types of sites can co-exist.
I'm wondering what sort of time frame you'd be looking at for a single round password, i.e; md5(salt.cleartext)
Salting a hash is meant to stop precisely these attacks, and these numbers were taken for MD5 in particular from:
What's possible for the rest of us? I can use Node.js to encrypt a typical password using PBKDF2(HMAC-SHA1) like so:
crypto.pbkdf2('sconesMultiply51', '0SGrf8KIZ', Math.pow(2, 17), 18, logger)
The above password 'sconesMultiply51' only has 40 bits of unpredictableness, so give me about two weeks, '0SGrf8KIZ', and sha1('0SGrf8KIZsconesMultiply51') and I can quite possibly find 'sconesMultiply51' by brute force on a laptop.
GPUs make things faster. This site:
What's the absolute upper bound? Well, thankfully, the biggest public supercomputers are actually very well-known and published on top500.org. The absolute top of the line today is this beast:
Lessons: (1) you'll be safe for the next 20 years at least if you just get used to
head -c 9 /dev/urandom | base64 | sed 's/+/_/g;s/\//-/g'