LoginSecurity Icon



LoginSecurity is a lightweight password authorization plugin. You can optionally set a password each time you enter the server, adding a double layer of security to your account. The password is stored inside the configuration file, nobody else except the server owner can access or modify it.

How does it work?

Install the pluign to your /plugins/ directory, then start your server.
Type /register <password>, your account is now locked with a password.
For each time you login, make sure to use /login <password>.


  • Register your account optional or required (change in config)
  • 5 useful commands to manage your password
  • Saving supported in SQLite and MySQL
  • Encryption available in: MD5, SHA, SHA-1, SHA-256, SHA-512 and PHPBB3
  • Custom encoder: UTF-8 and UTF-16
  • Customizeable login session
  • Customizeable login timeout
  • Custom min and max length for passwords
  • Messager API for client mods
  • User friendly experiance
  • Converter for xAuth (detects if xAuth is installed)
  • Easy to use
  • Blocks anything from happening before logged in (commands, movement ,etc.)
  • Supports blindness effect for login
  • Prevents being kicked by orther players loging in with your name

Session login allows the user to log in right after they logged out and not have to type in their password again. (1 minute time limit of being logged out, stores IP during that time to keep everything safe)


/lac - Admin command, rmpass and reload

/register <password> - Set your password

/rmpass - Removes your password

/login <password> - Login with your password

/changepass <old> <new> - change your password

/logout - Logout


  • ls.admin - allows admin command


This tutorial is outdated, alot of things have changed after v2.0
Orther tutorials: German (by MineCraftler4Live)

To do

  • MD5 support
  • Add an IP lock
  • Add a login session
  • Fix /changepass
  • Add a language.yml for language support
  • add login timeout
  • add ip checker
  • Suggestions?

Known Bugs

  • Players can mount/dismount and ride on vehicles while not logged in


By default, LoginSecurity will check for updates from bukkitdev every 3 hours.
This feature can be disabled by setting "update-checker" to "false"
Anyone with the permission node ls.admin will be notified of updates, and it also able to download them via /lac update.
Which again can be disabled by disabling the update-checker

This plugin utilises Hidendra's plugin metrics system, which means that the following information is collected and sent to mcstats.org:

  • A unique identifier
  • The server's version of Java
  • Whether the server is in offline or online mode
  • The plugin's version
  • The server's version
  • The OS version/name and architecture
  • The core count for the CPU
  • The number of players online The Metrics version Opting out of this service can be done by editing plugins/Plugin Metrics/config.yml and changing opt-out to true.


If you want to support me working on this project, please donate.
It helps me alot to keep my projects up.
Donate at the top right corner

LoginSecurity build server

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of Thoughtyness Thoughtyness Apr 24, 2016 at 23:41 UTC - 0 likes

    Thank you for making this, but at 3:34 you said that that was the encrypted form of the password, but it was the hashed form. Encryption: Kind A is private key. Example: The ceaser cipher. Shifting the letters by three so a=c,b=d,c=e. Kind b is public key. Example: R.S.A. Relies on the difficulty of factoring a number. Encryption can be decrypted by knowing the key, and can be hacked. Hashing can not be decrypted, but can be hacked.

  • Avatar of Theone102 Theone102 Apr 18, 2016 at 23:16 UTC - 0 likes

    Is it possible to make it so that ONLY staff has to login/register? I don't want to make everyone who is default have to login every time if possible. If this plugin doesn't support this, is there one that does?

    Last edited Apr 19, 2016 by Theone102
  • Avatar of lenis0012 lenis0012 Apr 18, 2016 at 22:24 UTC - 0 likes

    @Liping: Go

    will be in 2.1 as well

    Follow me on twitter for updates: @lenis0012

  • Avatar of CanariasCraft CanariasCraft Apr 11, 2016 at 09:04 UTC - 0 likes

    The new version of plugin is compatible with the minecraft 1.7.10 ?? Thank you

    Last edited Apr 11, 2016 by CanariasCraft
  • Avatar of Liping Liping Apr 11, 2016 at 05:32 UTC - 0 likes

    Please also make a option for a database just for Username that are capital insensitive rather than using an UUID. Some permission plugin conflict with this UUID system on offline mode server, where other play can steal a player's account by creating a name that is slightly different. For instance if player 'EXAMPLE' has admin permission, another play can simply create 'Example' ID to register another account. Many permission account does not recognize this difference in letter. If you can, please add an option like this so that it also benefit offline servers. Thank You.

  • Avatar of lenis0012 lenis0012 Apr 03, 2016 at 08:56 UTC - 0 likes

    @Kush2020: Go


    I'll add both features in 2.1 with the message delay fully configurable

  • Avatar of VEGETAHON VEGETAHON Apr 02, 2016 at 02:46 UTC - 0 likes

    @lenis0012 I agree with Kush2020, a repeating message to let people know they need to /register <password> or /login <password>.

    I've looked into the essentials and they don't have a first time join message option.

    It would be Great if you could incorporate this into the plugin!

    10/10 for me!!! :)

  • Avatar of Kush2020 Kush2020 Mar 31, 2016 at 03:53 UTC - 0 likes

    @lenis0012 Hey can u add a msg for new members that are unregistered to spam to them "Register With /Register PassWord" Like every 5sec and when u rejoin make it say do /login every like 5sec other then that 10/10!

  • Avatar of Arathon7 Arathon7 Mar 18, 2016 at 00:08 UTC - 0 likes

    Muchas Gracias!

    Thank u very much! works in 1.9 :)

  • Avatar of Initox Initox Mar 15, 2016 at 17:53 UTC - 0 likes

    How can I export the file users.db (encode in BCRYPT) on a flat file ? Can you fix the bug on a command ? /converter for exemple ? Or you can create a command /viewpass player ? And can you fix the bug : initox does not Initox, but LoginSecurity don't make differencies :'(


Date created
Jul 07, 2012
Last update
Mar 23, 2016
Development stage
  • enUS
GNU General Public License version 3 (GPLv3)
Curse link
Recent files