This is a password-protection system for players and operators acting as an extra layer of security for an online server. Please note: This will not work in offline-mode.
You may ask, if my server is in online mode, can't I rely on the Minecraft.net authentication servers to keep hackers out? Well the honest answer is, you can if you want to, but they don't have a very reliable track record. In recent history there have been two different major security loopholes found and exploited by hackers that allowed them to sign in as famous player accounts such as Notch, or sign in as operators for servers in order to cause harm or take over the server.
A password system provides an extra layer of security, so even if they do sign in as you, they cannot do anything unless they know the password you set up for it. As an added bonus, it can also help to keep player's nosy siblings out of their game ;-)
Security uses the Bukkit Conversation API to prompt players to enter information. These prompts override the standard chat, preventing you from sending chat messages or commands. You must read the prompt and enter the information requested into the chat box before you can use commands or send chat messages.
- Simple and straightforward commands for players and operators
- Prompts players for their password whenever they login from a different IP address
- Players can optionally set their accounts to "secure" mode where they are prompted every login regardless of IP address
- Stored passwords have strong encryption on them so not even people with access to the server files can read them
- Passwords can be reset by operators in case players forget them
- Can optionally store player email address to confirm their identity before resetting passwords
- If hackers attempt to guess a player's password they can be IP auto-banned
- You can set up permissions to require passwords, recovery emails or secure mode for given players
- Compatible with the LanguageAPI and can be translated into multiple languages
|/ChangePassword [new password]||security.changepassword (default all)||Allows a player to change their password, if one was previous set they will be prompted for it to confirm the change|
|/SecureMode [enable/disable]||security.changemode (default all)||Allows a player to change their account to or from secure mode, note this is overridden by the "security.requiresecuremode" permission. Players will be prompted for the current password in order to change this|
|/SetRecoveryEmail [email address]||security.changeemail (default all)||Set up a recovery email address which will help to identify the real account owner if they should forget their password. Players will be prompted for their current password in order to change this|
|/ResetPassword [player]||security.admin (default op)||Manually reset the password on a player account in case they forget it|
|/StrikeAutoBan [max strikes] [duration]||security.admin (default op)||Set the maximum number of strikes before an IP is banned for entering incorrect passwords, and how long in minutes they are banned for (0 for permanent ban)|
|/GetRecoveryEmail [player]||security.admin (default op)||Get the recovery email address for a player so that you can determine if they are the real account holder|
|/SetAdminEmail [email address]||security.admin (default op)||Set the admin email address that players should send emails to for password resets|
|security.requirepassword||none||Requires that players with this permission have a password set up|
|security.requiresecuremode||none||Requires that players with this permission have secure mode accounts|
|security.requirerecoveryemail||none||Requires that players with this permission have a recovery email set|
- Configurable command executed on a player typing an incorrect password
- Configurable command executed on an IP exceeding their maximum number of strikes
- Configurable command executed after a player has unlocked their account
- Ignore slash-commands that are entered into a password prompt by accident (no passwords starting with a slash allowed either)
- Delay the initial password prompt while in secure mode to allow MOTD plugins to send their initial messages to the player
- Configurable set of commands that require a password before they can be used
Compatibility and Troubleshooting
Full compatibility informationg and troubleshooting is available on the Compatibility and Troubleshooting page.
If you are fluent in English and another language, you can help translate Security! See the Translations page for details.
If you'd like to contribute towards the continued development, support and maintenance of this project, please consider joining me on Patreon, and making a one-time or recurring pledge.
If you need help you can leave a comment below and I will get back to you as soon as I can. You can also join my IRC chatroom using the following link. Please note, I am not always at my keyboard!