Security
Language: English | German
Security is very important. Please read this page and make sure your plugin doesn't store passwords in plain text (in server console or logs).
Encryption
AccountAPI does never store passwords in plain text. Passwords are written to the database encrypted using SHA-256. It is impossible to get the password if only the encrypted hash is known, so nobody can access the passwords, not even admins or the plugin itself. If a user lost his password, it can't be restored, it can only be changed.
The API allows you to provide passwords encrypted and in plain text. If you provide a password in plain text, it will be encrypted.
Syntax
setPassword(Player player, String password, boolean encrypted);
Example 1 (encrypted)
setPassword(player, "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", true);
Example 2 (not encrypted)
setPassword(player, "password", false);
Example 3 (incorrect)
setPassword(player, "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", false);
Example 4 (also incorrect)
setPassword(player, "password", false);
Example 1 and 2 will do the same. The password is "password" and it's hash will be written to the database.
In example 3 the hash is already provided, but it will be encrypted again. The hash of the hash is stored to the database.
In example 4 the password in plain text is provided, but it won't be encrypted. "password" will be written to the database.
Overview
| Example | What is provided | Will be encrypted | What will be written to the database |
| 1 | hash | no | hash |
| 2 | plain text | yes | hash |
| 3 | hash | yes | double-hash |
| 4 | plain text | no | plain text |
If you provide the password in plain text, set the boolean to false.
If you provide the hash, set it to true.
For your plugin
When using AccountAPI with your plugin, make sure that passwords are never stored in plain text. Don't create commands like /register <password>, because every command (including the password in plain text) is written to the server console and log.
A more secure way would be to provide a /register command without any arguments, which will generate a random key, write it to the database, and send something like this to the player: yourwebsite.com/register?k=12345. Check the key and maybe the player's ip address and provide a register form. I recommend using PHP.
Maybe this feature will be included in AccountAPI v0.3.
Comments