At Hoody, we are committed to protecting our users' privacy and anonymity. We will never ask for your identity, and our team will do everything technically and legally possible to avoid requesting any personal information.
Our signup process involves generating a unique Hoody Key, known only to the user. Our encrypted database stores a double-hashed version of this key. No personal information, not even an email is required for signup. For additional privacy, users can pay using cryptocurrencies like Monero.
We use SQLite to store this list and encrypt the database using AES-256 CTR, in addition to encrypting the running directory using Luks. The database is backed up every minute to a secure location via SSH.
Sample Hoody Key: WE0ZD-ZWI0-U4NZ-M5MJZ
To protect against various threats, we use Argon2, a robust password hashing mechanism, followed by SHA256 with a context added. Argon2 is a good choice because it is designed to be resistant to GPU and ASIC-based attacks, and it is also resistant to side-channel attacks. This hashed result is stored in our encrypted database. Even if the database is compromised, user anonymity remains unaffected.
We also limit requests per minute to prevent brute-force attempts.
Given the key format, an attacker would need to try approximately 7.96 × 10^24 (7.96 septillion) combinations to guess a Hoody Key.
1,679,616^4 = 7,958,661,109,946,400,884,391,936
This enormous number of possible combinations ensures the security and integrity of Hoody Keys.
For added security, users can set a password on top of their Hoody Key. Our database stores only a double-hashed version of this password.
Users should never share their Hoody Keys and are responsible for safeguarding them. If a user shares their key, they must trust the individual not to add a 2-FA password, delete the key, or control the VPN location of a specific anonymous device.
If a user loses their Hoody Key, they will permanently lose their account. We do not offer any recovery mechanism, as we can't verify your payment history.
You can permanently delete your Hoody Keys from our database in the dashboard.
This will completely remove the double-hashed key, leaving no record of your previous user status.
Useful for controversial activities or if you suspect your computer has been compromised.
Even when using non-anonymous payment gateways like PayPal, Hoody ensures that there is no way to correlate the payment back to the user:
If governments subpoena PayPal for a list of Hoody Keys, PayPal would only provide a list of useless tokens that cannot be used to track anyone.
Due to this high level of security, we are unable to issue refunds since we cannot determine which Hoody Key should be removed from the system. We believe this trade-off is necessary to ensure user anonymity.
We of course always recommend users to pay with crypto as there is never enough privacy layers.