Bukkit

@ProjectNarna

SecurityDragon just verified the password to return a boolean output... it never stored anything.

This plugin stores information but its not in a database format it's stored as a file and similar to SecurityDragon the plugin pulls the information for a boolean output. I mean I can salt it no problem. But at this point its all up to the user on what they do with the files on they're server and what access they allow players to have. Proper server protection, or protection offered from your hosting provider along with this plugin is the real idea.

@ProjectNarna

Its alright I got to thinking that if by the stroke of chance they were able to pull an md5 hash from whatever end, that the if the operator is using the same pass for they're operator account that they use for minecraft itself they could possibly use the hash to attempt to login to that players account itself considering minecraft simply uses md5. Although highly unlikely you would still have to gain root access by some means to pull the information or develop a bukkit plugin that will steal the information from this configuration which even in the same aspect unsecured/unsalted/unhashed passwords reside in most configurations requiring an external connection example: mysql. This situation its really up to moderators verifying plugins at that point. So to get back on track to defeat this plugin to gain operator status is either by deleting the plugin and putting the names back into the op.txt(root access), from the console opping yourself (telnet, queryport{which requires login information from the server.properties}), by pulling the configuration from the backend (trojan), or building a bukkit plugin to steal the configuration, all of which are more harmful, intensive, and require extensive tools to gain access. If there is a method of telepathy that I'm unaware of let me know cause I'm missing out.

Yah I have worked with salting, (SecurityDragon{inactive} uses md5 with salt to login to joomla), but do you really think its necessary? I mean the method of this type of security is to simply remove the operator status from a player in minecraft and authenticate themselves as being who they are in game, if I was able to pull the mac address of the player logging in I would use this for verification instead.

The way the plugin works is that if your given operator then you set a password for yourself or the plugin will not recognize you when you re log back in, once the password is set it is saved in the configuration and flushed, when the player leaves and rejoins the configuration information is pulled and IF they're ip is does not match then it will require your password which is then pulled and compared.

If I was unclear in my post I'll rewrite it so users can understand what I'm offering. I'm not able to create a bukkit plugin to protect they're minecraft account, or personal information any more so then they could do themselves. This is simply a plugin to fix an issue like the video posted above. This plugin provides a means of authenticating operators on your server, keeping your authorized users legit considering that you can't always control how each individual admin will approach a situation.

Also I was still scrubbing the source and forgot to change the description consider I have another update coming.

I went ahead and adjusted the digest to SHA512. Keep in mind that this password isn't even used if verification is made via ip.

@ProjectNarna

"You should instead assume everything else is INSECURE, and that you are offering the only protection."

Agreed, however I never made a claim that this would provide any other security then for the minecraft game server itself. Proper firewalls, Website creation with regards to php/mysql injection and other security options should always be take seriously as well as all passwords should be secured never given out.

The only claim that this plugin has is to provide game server protection from unauthorized users gaining operator from a hijacked minecraft session and provide security for those that are operator on a minecraft server.

@ProjectNarna lol.. If by any means a player can run even attempt to run a bruteforce through an online server without crashing it I'd be impressed. If they set a timer and ran it, It would take... years of perfect conditions even attempting to resolve the hash online from the server, which you get kicked after a default 3 bad logins. Which even after that you'd have to be able to emulate the operators original Ip Address and Username along with stealing the session. So I'd say its GOOD for now. Either way your right MD5 is verified by comparison and is not necessarily a form encryption.

MD5 with a bruteforce attack with simply the raw data can take hours on simply a plain text 5 character password when running rainbow tables it all depends on processing ability. (My friend forgot his windows password LM hash takes forever) ;)

But hell if we need to go that far for a small login system that's more secure then most web verification systems with the added variables lets go RSA BSAFE with a SecureID Token Randomly generating oplogin codes every 60 secs, its unnecessary. But if your talking about getting the password from the backend... well you were already screw'd from the beginning. :)