Hi guys, i’m Xephi (or Xephi59) , i create and reserve this thread for one thing :
If Sponge will support offline mode servers, AuthMe-Reloaded will be immediatly ported to support Sponge officially
Thanks Sponge Devs to do that kind of work,
Continue your good job , see you soon for the first AuthMe release on Sponge
IMHO, Offline-Mode switching should be automatic based on if the server can contact Mojang’s servers at start up, like the current Launcher does it. I don’t know any reasons why any legitimate servers would run in Offline-Mode as a matter of course.
Just because it’s popular doesn’t mean you should have the “right” to steal it. I know it’s software, but it’s still a product.
But regardless, I’m glad to hear about this. AuthMe is still a great plugin for servers that wish to add more security.
I know this is getting sort of off-topic but I thought I’d put my two cents in here.
Notch himself supports the idea of pirating (too lazy to scrounge up the source, but he once responded to someone tweeting him that his game cost too much by telling them to download it illegally).
Cracked servers are often disregarded and hated on, and for good reason.
But cracked servers serve a noble purpose; they introduce new people to the game, including people who may not have the money to buy the game.
Take me for example! I started out playing minecraft via some cracked version of it I found off of google. I started playing on some cracked servers and decided that all the cracked servers had a totally crappy playerbase so I decided to buy the game for myself… and now here I am, some two years later and I own and operate my own server.
I don’t know if you should be complaining too much about mojang having too much money, because really the last thing I’d call mojang are a bunch of greedy bastards. They’ve offered free updates to a $25 game for the past 5 years. No DLC, no addon content. (That might change with the recent microsoft acquisition, but that’s a whole other story…)
All in all, glad to hear that AuthMe will be ported to sponge. Hopefully servers running Authme will continue introducing new players to minecraft far into the future. :+3
i bought mc because of industrialcraft servers…not because i liked mojang
I couldn’t have said it better. I also originally pirated Minecraft four years ago, but I figured I would buy it since I liked it so much. Four years down the road, it is a very good purchase.
Same here without cracked I might of never played minecraft
Thanks, I and 955817 people more have downloaded your plugin.
Thanks for working with the community.
For the ones that talk about piracy, you should observe the minecraft communities in other countries like latinoamerican ones, where most of people cant access to a Credit Card to buy Minecraft.
I have bought Minecraft but as a server owner I know.
Xephi if you do a port, will you please look into the password theft and griefing problem? You’re probably aware but just in case you’re not - griefers liked to use authme and similar “offline mode security” plugins on temporary servers to trick kids into giving up their Minecraft passwords (the kids are naive, and often set their local server password to be the same as their Minecraft account password). Then the griefers use their accounts to dodge bans and grief other servers, and share the passwords with other griefers on griefing forums.
I think it can be fixed by making sure only a one-way hash of the player’s password is stored on the server running the plugin, and ensure the player’s password input doesn’t get logged in the server logs.
Thanks for reading! Apologies if you’ve already taken these measures and I’m just unaware.
I do want to propose a mixed-mode auth for offline servers. I want to be able to have the server publicly open to premium accounts then have an offline mode whitelist so I can add people who don’t have an account while controlling access.
That puts them in the “illegitimate” server category. He’s asking for reasons why a legitimate server would run in offline mode.
I had my server in offline mode for a while purely to allow my best friend on my server who was getting minecraft for his birthday in 6 months. (It was a very small server for our local MC community)
Awesome! i bought minecraft myself but everyone else plays cracked so i have to use offline
Just to be clear, I accept the ways piracy helps to grow the community. In fact I think piracy is a really bad term for it. You don’t sail around the seas plundering merchant ships when you pirate software, but that’s beside the point. My point is that its not a good idea to include a feature for which the only practical purpose is enabling piracy. Mojang removed the manual offline mode of the launcher for this very reason.
Steering back onto the actual topic, if you are going to port AuthMe, I have 2 suggestions for you:
(NOTE: I haven’t interacted with AuthMe in ages, I have no idea how relevant these are.)
- Make it fast. Last time I was on an AuthMe server it took like, 5 sec for AuthMe to realise I’d logged on, the 10 sec for it to say my password was correct. That’s far too slow. I don’t want to wait 15 seconds every time I log on.
- A post above suggests that passwords were being stored plaintext / logged in the logfiles in plaintext. DO NOT DO THIS. EVER. No matter how insignificant your stuff is, always follow proper password storage practices, ie: at least SHA256 hash with salt. Don’t log any inputs, just log that person X logged on successfully. (or not) If your not doing this you shouldn’t even be thinking of having passwords.
How did I never see this plugin back when Bukkit was still going? This would have been the solution to so many problems I had with my server. I’m glad that I’ll at least be able to use it with Sponge.
@Kevin96AT: Personally, I find that the idea of even having passwords stored in plaintext or logged to console as an option is a stupid one. The admins/owners of the server have no business knowing the players’ passwords anyway, and most people use the same password in several places, if not everywhere. It’s horrible design, and can only lead to accounts being stolen. @Thamstras’ second point is very much valid.
How can it be used for testing purposes? I honestly cannot see any way plaintext passwords would be necessary. I believe that you shouldn’t be able to see users’ passwords because whatever you do to warn them, many will use the same password. The players’ security and privacy tradeoff is too great compared to whatever legal gain you can achieve by snooping in their passwords. Saying that forced security doesn’t help in this regard is nonsensical. They’re going to use their passwords, and it won’t be a problem at all if you don’t have access to it.
Awesooome!! Thank you! Authme & offline mode are very usefull to connect with test accounts to test permissions… This is why I love Offline Mode! (Not for crack versions)
Piracy: Robbery or illegal violence at sea. Yea, that really well describes people downloading software without permission. And as @Lemonous said, The very notion of the option to store passwords in plain text is absurd, and shows a complete lack of knowledge on the developers part of how to properly treat passwords. Ideally the password would be hashed on client side and then sent, but that’s not feasible in a vanilla environment.