Okay, that’s great. I never said you were doing thing wrong or implied that you needed to “learn security.” Sorry if it came across as offensive.
No it wasn’t so much as you as a collection of everyone else attempting to undermine the security of this plugin. You’re right you didn’t and sorry that came out on you a bit.
Hi! Thanks for your work, It will be great when it is finished. Some ideas:
- Why don’t use a sgbd, like sqlite for store the data? Indeed with a database we can use this data with a site.
- For more security are you using a salt with SHA3?
Hi potatoes thank you for asking nicely, I’d be happy to answer your question.
- This support is planned though to be honest the core part of the plugin isn’t working. I’m going to start with file storage, and expand.
- Actually SCrypt is going to be the default on most servers (SHA3 is only meant for servers who can’t run SCrypt effeciently. I.e. 1GB or less (the player will be warned when SHA3 option is enabled), however yes. Salting will be employed), or if players don’t want to use passcodes Google Authenticator will be the recommended way to authenticate.
Note for everyone else. The update with SCrypt as the default (PBKDF2 as a secondary option), warning on SHA3 Selection, Salting implemented will be pushed by the end of the 26th of may (UTC - 7 time)
2 Likes
Who needs all those fancy authentication storage systems when you got ROT-13. Thats secure enough… Right?
2 Likes
I’m sure that works perfectly. Haha 
1 Like
rot-26 is best rot
3 Likes
Hehe this is my secret message nobody will be able to crack. ROT-26 for life.
3 Likes
It took me a google search to get this joke.
But then i lol’d 
3 Likes
Are you planning to implement an auto-offline feature that x-auth had? As in, if minecraft auth servers are down it will automatically put the server in offline mode.
I can add it to a list of things to do for the first release. 
1 Like
Hi ! 
Xauth worked with a local database (h2), then, if you want we can changed the setting and added a online database. So I think TFA must be working also with a local database, because the little server, who is running on a computer for instance, can use more quickly and more easy your plugin! I think you should start with a local database and after, implements the possibility to have a online database.
Hi if you read above you’ll not flat file is all that’s implemented, but both local database, and online databases are planned.
A nice feature you should add is setting a permission (ex. 2fa.requirepw or 2fa.dontrequirepw-- so you can have everyone require a password unless explicitly told otherwise) for the login feature.
This is useful in a case where you only want Admins to be promoted to enter a password, to use as extra protection for them specfically. Would be nice especially because it’s not very desired to have to players login every time, and this would limit it to only a certain group for extra protection-- like Admins because with admin permissions you can do a lot of damage. Just something to keep in mind, not sure if you had already implemented this… It’s just an a plot to take over the world idea
The whole fact is people who want to have the protection can. Only if the person wants it. (so automatically making everyone require a password unless told otherwise is counter-intuitive). However I can make a requirepw permission. (In case you wanted to apply it to everyone, just admins, etc.)
Ohhh okay, I may of missed that part 
Alright didn’t get to finish my update due to personal life stuff, but I wanted to push what I currently had done. This is super basic foundation work. However did want to update what I had.
Has there been any new progress on the plugin recently?
Unfortunately no I’ve been really really preoccupied with some irl stuff. I will post an update here when i can get to it.
1 Like