LoginSecurity LoginSecurity is a lightweight password authorization plugin. You can optionally set a password each time you enter the server, adding a double layer of security to your account. The password is stored inside the configuration file, nobody else except the server owner can access or modify it. How does it work? Install the pluign to your /plugins/ directory, then start your server. Type /setpass <password>, your account is now locked with a password. For each time you login, make sure to use /login <password>. --> BukkitDev <-- Features Encrypt passwords with MD5 Set a password for your account Save all passwords in the data file Setting a password is optional, or requiered (change in config) blocks chat, moving and commands id the player joins with a password Commands /setpass <password> - Set your password /rmpass - Removes your password /login <password> - Login with your password /changepass <old> <new> - change your password (1.4.2+) temp broken To do Fix a bug where the plugin breaks on servers with more than 25 players change files to work with MD5 support MySQL Suggestions? Known Bugs If your server has over 25 players on it, the plugin acts strangely (fixed in v1.3) Download v2.0.3: Download (1.5.0-R0.1) v1.6.10: Download (1.4.7-R0.1)
1. [ADMN] instead of [Admin] in title please. 2. ChangeLog at the bottom of your post please, w/ version.
Are the passwords salted? Why do you use MD5 when it is deemed not cryptographicly safe? Why does this plugin contain "Security" in the title when it obviously knows nothing about it?
New version also supports SHA, SHA-1, SHA-256 and SHA-512 Containing supported decoders for UTF-8 and UTF-16 Btw, who is going to spend 2 weeks on breaking one password in your server? MD5 is safe enough Title updates
2 weeks? You're joking right? If there is no salt I can garuntee it wouldn't even take a day for a combination bruteforcer to find it, let alone an online dictionary of hashes to find it.
Everytime i restart my server, it keeps saying that i should be registered... when i register , logout, disconnect, and reconnect to the server, it will say that i should be logged in..... but when i restart the server,, it will not let me log in because im not registered help pls
The best way would be to add your own custom salt method defined in the configuration. For example Instead of Code: sha1(password); You could have Code: sha1(password + salt) And the salt could be like Code: #$%sfeyr#^(
A static salt is a bad idea as this does not really add security as the salt can also be cracked very quickly if its too short. It would only slow down the process a bit. Checkout http://crackstation.net/hashing-security.htm There are many examples of how to make it right and there is also stated that double salting is wrong when using a weak algo like md5. So if you see a plugin that does double salted or double hashed passwords .. stay away from them.
Hey relax, I know you probably worked really hard on your plugin, but people are expressing legitimate concerns. Some servers are very large and generate large amounts of money and are important to people; Thus security is a must. I recommend that you take some time to learn a lot about security before developing a security centered plugin. I haven't read your actual source code, but from what I've heard, you're using an unsalted md5 hash for storing your passwords. Firstly, its good that you aren't just using a list of raw usernames and passwords. Unfortunately, MD5 isn't enough. No hash is good enough alone. You need a dynamic salt for maximum security.