GlobalEyes.TV
Back home

Security

Your account is the product. We protect it like one.

GlobalEyes.TV is built around anonymous channels, and that promise only holds if the credentials behind those channels are airtight. Here's exactly how we guard them — no marketing fluff, just the stack.

Strong passwords are mandatory at every entry point

Registration, password change, and password reset all enforce the same floor:
  • 14 characters minimum
  • At least one lowercase, uppercase, number, and symbol
  • One-click "Suggest strong password" generator on every field, using your browser's cryptographic RNG
We don't blame users for picking password — we just make it impossible.

Every new password is screened against 800M+ public breaches

Even a syntactically-strong password is worthless if it's already in a stolen-credential dump. Before we accept any new password, we screen it against Have I Been Pwned's corpus of breached passwords using its k-anonymity protocol:
  • Your password is SHA-1 hashed locally on our server
  • Only the first 5 hex characters of that hash are sent to HIBP
  • The match happens client-side against the returned suffix list
HIBP literally cannot tell which password we checked. Your plaintext never leaves our backend, ever.

Passwords are hashed with bcrypt before storage

We never store your password — not in plaintext, not in reversible form. The only thing touching our database is a one-way bcrypt hash with a per-user salt. Even a complete database dump can't be used to log in as you.

Real-time alerts when your password is changed

The moment your password is updated — from your account settings or via the email reset flow — we send you a confirmation email recording when, from what IP, and from what device. If it wasn't you, a red one-click button locks the attacker out immediately.

Single-use, hashed, expiring reset tokens

Email magic-links carry a 256-bit random token that expires 15 minutes after issue and can only be used once. We store the SHA-256 hash of the token, not the raw value — so even if our database were dumped, the dump alone can't be used to reset anyone's password.

Anti-enumeration on every auth response

Our "forgot password" endpoint returns the same generic message whether the email is registered or not. Attackers cannot use it to confirm whether someone has an account here. All login failures use identical response shapes regardless of whether the email or password was the wrong field — no information leaks through error patterns.

Channel anonymity is enforced at the API layer

Every public response — videos, comments, follows, marketplace listings — exposes only the channel handle. The owning master account ID and master username are never serialized into JSON that leaves this server. The channels feature is not just a UI label; it's a hard data boundary in the backend.

Found something we should fix?

Email security@globaleyes.tv with a clear reproduction. We acknowledge within 48 hours and credit reporters publicly (with permission) when issues are fixed.

This page is updated whenever the security stack changes. Last updated May 12, 2026 · GlobalEyes.TV is operated by NETBINGE, LLC.

Emergent