LoginSecurity Icon



LoginSecurity is a lightweight password authorization plugin. You can optionally set a password each time you enter the server, adding a double layer of security to your account. The password is stored inside the configuration file, nobody else except the server owner can access or modify it.

How does it work?

Install the pluign to your /plugins/ directory, then start your server.
Type /register <password>, your account is now locked with a password.
For each time you login, make sure to use /login <password>.


  • Register your account optional or required (change in config)
  • 5 Useful commands to mangage your password
  • Advanced administrative control
  • Advanced documentation via wiki
  • 5 Secure password algorithms: BCrypt, SCrypt, PBKDF2, Whirlpool and SHA3_256
  • Secure sessions storing to improve user experiance
  • Customizable time-out
  • Map captcha upon registration (user friendly)
  • Conversion from AuthMe and xAuth (check wiki for more info)
  • Premium support through AutoIn
  • Automatic update with changelog overview
  • Username filtering (length and characters)
  • Highly detailed configuration
  • Automatically updated translation manager (user-submitted)
  • Prevents being kicked by orther players loging in with your name

Session login allows the user to log in right after they logged out and not have to type in their password again. (1 minute time limit of being logged out, stores IP during that time to keep everything safe)


/lac - Admin command, rmpass and reload

/register <password> - Set your password

/rmpass - Removes your password temporary removed in 2.1

/login <password> - Login with your password

/changepass <old> <new> - change your password

/logout - Logout


  • loginsecurity.admin - allows admin command
  • loginsecurity.update - shows update notifications


Thanks to ServerMiner for making this informative tutorial
Orther tutorials: German (by MineCraftler4Live)


  • Add translation interface for easier language selection
  • Suggestions?

Known Bugs

  • Players can mount/dismount and ride on vehicles while not logged in


By default, LoginSecurity will check for updates from bukkitdev every 3 hours.
This feature can be disabled by setting "update-checker" to "false"
Anyone with the permission node ls.admin will be notified of updates, and it also able to download them via /lac update.
Which again can be disabled by disabling the update-checker

This plugin utilises Hidendra's plugin metrics system, which means that the following information is collected and sent to mcstats.org:

  • A unique identifier
  • The server's version of Java
  • Whether the server is in offline or online mode
  • The plugin's version
  • The server's version
  • The OS version/name and architecture
  • The core count for the CPU
  • The number of players online

The Metrics version Opting out of this service can be done by editing plugins/Plugin Metrics/config.yml and changing opt-out to true.
Additionally, when the language setting is changed, information is retrieved from lang.lenis0012.com to aquire up to date translations.


If you want to support me working on this project, please donate.
It helps me alot to keep my projects up.
Donate at the top right corner

LoginSecurity build server

You must login to post a comment. Don't have an account? Register to get one!

  • Avatar of JugadorON JugadorON Oct 22, 2016 at 19:24 UTC - 0 likes

    Adds dual password please!!! Login and register.

  • Avatar of leetom1991 leetom1991 Sep 26, 2016 at 09:28 UTC - 0 likes

    @LueLusten: Go

    Hi, how did you diallow the /register command? I don's see a permission related to this command.

  • Avatar of JugadorON JugadorON Sep 23, 2016 at 22:34 UTC - 0 likes

    I need version to 1.10.2, please!!!

    Java 8!!

  • Avatar of mirolm mirolm Sep 22, 2016 at 11:50 UTC - 0 likes


    Some players in my server continuously try to bruteforce passwords and sometimes they succeed. Kick on failed login attempts do not stop them usually if they are serious about it (tho it can get staff to look what they do...). :)

    I decided to make a player lockdown functionality instead of kicking. When player makes too many failed login attemps he is kicked and his uuid+ipaddr are turned to uuid and added to list. When he tries to login in AsyncPlayerPreLoginEvent he is checked and disalowed to enter. I made a thread to expire lockdowns in like 2 hours (setting is cofigurable).

    This method have some flaws, but it is more effective than simple kicking. Hope you like the idea - i coded it in my fork of the old loginsecurity so you can look at it if you wish to.

    Last edited Sep 22, 2016 by mirolm
  • Avatar of games647 games647 Sep 14, 2016 at 15:47 UTC - 0 likes

    @LueLusten: Go

    This maybe helps you out. https://gist.github.com/games647/2b6a00a8fc21fd3b88375f03c9e2e603

    But remember it's only for offline-mode UUIDs

    FastLogin Auto login cracked accounts if the player has a paid account
    ScoreboardStats Fast custom scoreboard + compatibility with other scoreboard plugins
    ChangeSkin Change your ingame skin
    LagMonitor Analyze your server performance
    Minecraft Database

  • Avatar of lenis0012 lenis0012 Sep 05, 2016 at 20:47 UTC - 0 likes

    @Viesturs881: Go

    You have miss configured your database settings.
    Are you using mysql?

    Follow me on twitter for updates: @lenis0012

  • Avatar of lenis0012 lenis0012 Sep 05, 2016 at 20:46 UTC - 0 likes

    @LueLusten: Go

    If your server is running offline mode, use the java equivelant of UUID.nameUUIDfromString("OfflinePlayer:PLAYER_NAME".getBytes());

  • Avatar of LueLusten LueLusten Sep 05, 2016 at 09:50 UTC - 0 likes

    @lenis0012: Go

    Hey how would I create a user from php I am able to create the password find that checks out but when I create a user it does not work,

    Lets say I create HelloKitty (4973c3ed-62ee-30ae-98dd-3775e5f249b6) uuid

    I can see that the other UUID's don't match user so how are these created and how do I get the plugin to see them as user, it seems it checks these ID's rather then the username so I still get please register

  • Avatar of Viesturs881 Viesturs881 Sep 04, 2016 at 18:14 UTC - 0 likes

    Dosn't work with Spigot 1.8.8 in start of server,it show's error

    [21:13:02] [Server thread/ERROR]: Could not load 'plugins/LoginSecurity.jar' in folder 'plugins'

    Full log file here: http://pastebin.com/9u1qWP5x

    Last edited Sep 04, 2016 by Viesturs881
  • Avatar of lenis0012 lenis0012 Aug 29, 2016 at 16:20 UTC - 0 likes

    @LueLusten: Go

    we use the format of bcrypt
    we use 10 log2 rounds, 10 blowfish rounds and the salt has a length of 16.
    It works with any parameters tho