[ADMN] LoginSecurity v2.0.3 - secure your server! [1.5.0-R0.1]

Discussion in 'Archived: Plugin Releases' started by lenis0012, Aug 23, 2012.

  1. Offline

    lenis0012

    [​IMG]
    LoginSecurity

    LoginSecurity is a lightweight password authorization plugin. You can optionally set a password each time you enter the server, adding a double layer of security to your account. The password is stored inside the configuration file, nobody else except the server owner can access or modify it.

    How does it work?

    Install the pluign to your /plugins/ directory, then start your server.

    Type /setpass <password>, your account is now locked with a password.

    For each time you login, make sure to use /login <password>.


    --> BukkitDev <--
    Features

    • Encrypt passwords with MD5
    • Set a password for your account
    • Save all passwords in the data file
    • Setting a password is optional, or requiered (change in config)
    • blocks chat, moving and commands id the player joins with a password
    Commands

    /setpass <password> - Set your password

    /rmpass - Removes your password

    /login <password> - Login with your password

    /changepass <old> <new> - change your password (1.4.2+)
    temp broken

    To do

    • Fix a bug where the plugin breaks on servers with more than 25 players
    • change files to work with MD5
    • support MySQL
    • Suggestions?
    Known Bugs

    • If your server has over 25 players on it, the plugin acts strangely
      (fixed in v1.3)
    Download

     
  2. Offline

    Deleted user

    1. [ADMN] instead of [Admin] in title please.
    2. ChangeLog at the bottom of your post please, w/ version.
     
  3. Offline

    Coelho

    Are the passwords salted? Why do you use MD5 when it is deemed not cryptographicly safe? Why does this plugin contain "Security" in the title when it obviously knows nothing about it?
     
  4. Offline

    To175

    How config the SQL please?
     
  5. Offline

    TnT

    lenis0012
    If you want this to not be moved to inactive, the title needs to be kept updated.
     
  6. Offline

    lenis0012

    New version also supports SHA, SHA-1, SHA-256 and SHA-512
    Containing supported decoders for UTF-8 and UTF-16

    Btw, who is going to spend 2 weeks on breaking one password in your server?
    MD5 is safe enough

    Title updates
     
  7. Offline

    user_43347

    2 weeks? You're joking right?
    If there is no salt I can garuntee it wouldn't even take a day for a combination bruteforcer to find it, let alone an online dictionary of hashes to find it.
     
  8. Offline

    lenis0012

    same for SHA-512 with UTF-16 encoder?
     
  9. Offline

    vemacs

    Not salted, obviously. No PBKDF2 either. No iteration at all. I am disappoint.
     
    zachoooo and user_43347 like this.
  10. Offline

    lenis0012

    If you want salted hasing i will add it for you dont worry
     
  11. Offline

    user_43347

    Oh I'm worried, you're developing a security plugin and you don't know anything about it.
     
    zachoooo likes this.
  12. Offline

    lenis0012

    listen buddy, go write your own if you're so good
     
  13. Offline

    HaloTwisterX29

    Everytime i restart my server, it keeps saying that i should be registered... when i register , logout, disconnect, and reconnect to the server, it will say that i should be logged in..... but when i restart the server,, it will not let me log in because im not registered


    help pls
     
  14. Offline

    alfista

    Is anywhere written what parameter in config file is what?
     
  15. Offline

    Quackster

    The best way would be to add your own custom salt method defined in the configuration. For example

    Instead of

    Code:
    sha1(password);
    
    You could have

    Code:
    sha1(password + salt)
    
    And the salt could be like

    Code:
    #$%sfeyr#^(
    
     
  16. Offline

    lycano

    A static salt is a bad idea as this does not really add security as the salt can also be cracked very quickly if its too short. It would only slow down the process a bit.

    Checkout http://crackstation.net/hashing-security.htm There are many examples of how to make it right and there is also stated that double salting is wrong when using a weak algo like md5.

    So if you see a plugin that does double salted or double hashed passwords .. stay away from them.
     
  17. Offline

    zachoooo

    Hey relax, I know you probably worked really hard on your plugin, but people are expressing legitimate concerns. Some servers are very large and generate large amounts of money and are important to people; Thus security is a must. I recommend that you take some time to learn a lot about security before developing a security centered plugin. I haven't read your actual source code, but from what I've heard, you're using an unsalted md5 hash for storing your passwords. Firstly, its good that you aren't just using a list of raw usernames and passwords. Unfortunately, MD5 isn't enough. No hash is good enough alone. You need a dynamic salt for maximum security.
     
  18. Nice Plugin. I not only make servers but I also make plugins
     

Share This Page