[ADMN] LoginSecurity v2.0.3 - secure your server! [1.5.0-R0.1]

Discussion in 'Archived: Plugin Releases' started by lenis0012, Aug 23, 2012.

  1. Offline



    LoginSecurity is a lightweight password authorization plugin. You can optionally set a password each time you enter the server, adding a double layer of security to your account. The password is stored inside the configuration file, nobody else except the server owner can access or modify it.

    How does it work?

    Install the pluign to your /plugins/ directory, then start your server.

    Type /setpass <password>, your account is now locked with a password.

    For each time you login, make sure to use /login <password>.

    --> BukkitDev <--

    • Encrypt passwords with MD5
    • Set a password for your account
    • Save all passwords in the data file
    • Setting a password is optional, or requiered (change in config)
    • blocks chat, moving and commands id the player joins with a password

    /setpass <password> - Set your password

    /rmpass - Removes your password

    /login <password> - Login with your password

    /changepass <old> <new> - change your password (1.4.2+)
    temp broken

    To do

    • Fix a bug where the plugin breaks on servers with more than 25 players
    • change files to work with MD5
    • support MySQL
    • Suggestions?
    Known Bugs

    • If your server has over 25 players on it, the plugin acts strangely
      (fixed in v1.3)

  2. Offline

    Deleted user

    1. [ADMN] instead of [Admin] in title please.
    2. ChangeLog at the bottom of your post please, w/ version.
  3. Offline


    Are the passwords salted? Why do you use MD5 when it is deemed not cryptographicly safe? Why does this plugin contain "Security" in the title when it obviously knows nothing about it?
  4. Offline


    How config the SQL please?
  5. Offline


    If you want this to not be moved to inactive, the title needs to be kept updated.
  6. Offline


    New version also supports SHA, SHA-1, SHA-256 and SHA-512
    Containing supported decoders for UTF-8 and UTF-16

    Btw, who is going to spend 2 weeks on breaking one password in your server?
    MD5 is safe enough

    Title updates
  7. Offline


    2 weeks? You're joking right?
    If there is no salt I can garuntee it wouldn't even take a day for a combination bruteforcer to find it, let alone an online dictionary of hashes to find it.
  8. Offline


    same for SHA-512 with UTF-16 encoder?
  9. Offline


    Not salted, obviously. No PBKDF2 either. No iteration at all. I am disappoint.
    zachoooo and user_43347 like this.
  10. Offline


    If you want salted hasing i will add it for you dont worry
  11. Offline


    Oh I'm worried, you're developing a security plugin and you don't know anything about it.
    zachoooo likes this.
  12. Offline


    listen buddy, go write your own if you're so good
  13. Offline


    Everytime i restart my server, it keeps saying that i should be registered... when i register , logout, disconnect, and reconnect to the server, it will say that i should be logged in..... but when i restart the server,, it will not let me log in because im not registered

    help pls
  14. Offline


    Is anywhere written what parameter in config file is what?
  15. Offline


    The best way would be to add your own custom salt method defined in the configuration. For example

    Instead of

    You could have

    sha1(password + salt)
    And the salt could be like

  16. Offline


    A static salt is a bad idea as this does not really add security as the salt can also be cracked very quickly if its too short. It would only slow down the process a bit.

    Checkout http://crackstation.net/hashing-security.htm There are many examples of how to make it right and there is also stated that double salting is wrong when using a weak algo like md5.

    So if you see a plugin that does double salted or double hashed passwords .. stay away from them.
  17. Offline


    Hey relax, I know you probably worked really hard on your plugin, but people are expressing legitimate concerns. Some servers are very large and generate large amounts of money and are important to people; Thus security is a must. I recommend that you take some time to learn a lot about security before developing a security centered plugin. I haven't read your actual source code, but from what I've heard, you're using an unsalted md5 hash for storing your passwords. Firstly, its good that you aren't just using a list of raw usernames and passwords. Unfortunately, MD5 isn't enough. No hash is good enough alone. You need a dynamic salt for maximum security.
  18. Nice Plugin. I not only make servers but I also make plugins

Share This Page