1878 films and counting...

Security Policy

SIXTEENmm was built from the ground-up with security principles in mind.

When we say we encrypt your billing information, what we mean is that we employ a symmetric encryption scheme based around PBKDF2HMAC, AES CBC and HMAC 256.

When we say we hash your username, what we mean is that we employ SHA3 256 to create a one-way encrypted hash.

When we say we hash your password, what we mean is that we employ Scrypt, with two well-sourced salts, and KDF-tuned to make bruteforcing incredibly expensive and time consuming.

The only person any data _may_ be sent to is the payment provider - this allows us not to ever see any of your payment information, whilst allowing you to continue to experience a secure environment.

JavaScript can be an attack vector in non-obvious ways. So we employ no DRM, and JavaScript is only used to enhance certain functionality on the main site. It can be safely disabled. All JavaScript files (apart from the payment provider's) are hosted directly by us, so that they can't be intercepted.

JavaScript is widely deployed on the new interface, but care is taken to try and make it secure, and the source is available for auditing.

To make intercepting or manipulating data harder on our site, we employ a vast range of HTTP methods and tools. Everything is protected by SSL, Content Security Policies and so on.

To report a security problem, review the standard security.txt file. PGP encryption is available to ensure you contact us safely.