Official authentication plugin

Discussion in 'General discussion' started by Jack Noordhuis, Nov 20, 2016.

  1. Jack Noordhuis

    Jack Noordhuis Zombie Pigman Poggit Reviewer

    Messages:
    618
    GitHub:
    JackNoordhuis
    By 'bulky' I mean it implements a bunch of features that only certain servers will use. SimpleAuth was simple, it was a valuable resource for learning developers because it did what an auth plugin needs to do and nothing more.

    The reason I suggested PMMP have it's own official auth plugin that is supported by the PMMP team is that it will stay up to date, work with PMMP and its users would feel safer using a plugin backed/made by the maintainers of PMMP itself. The plugin wouldn't need to be feature packed and be the most secure thing ever to be created, it would be a clean, open source resource for the community (or at least that's what I had in mind when I made this thread :p).
     
    HimbeersaftLP likes this.
  2. Jack Noordhuis

    Jack Noordhuis Zombie Pigman Poggit Reviewer

    Messages:
    618
    GitHub:
    JackNoordhuis
    Like I told you before, you should hash the password as soon as you get it so you don't send plain text passwords.

    You should hash the password in the API implementation itself to avoid any possible loopholes that may exist in your 'secure connection'.
     
    HimbeersaftLP likes this.
  3. Daltontastic

    Daltontastic Spider Jockey

    Messages:
    28
    As I told you before that is overkill. If you are utilizing SSL you don't need to double hash the password though it wouldn't hurt either.

    On a side note I was demonstrating how to hash, verify, and rehash.

    Read http://security.stackexchange.com/a/64639
     
    HimbeersaftLP likes this.
  4. SOFe

    SOFe Administrator Staff Member PMMP Team Poggit Admin

    Messages:
    1,968
    GitHub:
    sof3
    An auth plugin shouldn't be simple. It should be secure. For example, multi-factor authentication is a method for better security.
    What SimpleAuth lacks is asynchronous queries that ensure performance, and async queries already make it not simple.
     
    HimbeersaftLP likes this.
  5. Daltontastic

    Daltontastic Spider Jockey

    Messages:
    28
    There is SMS APIs in theory you could send a verification code to verify logins.
     
    HimbeersaftLP likes this.
  6. Primus

    Primus Zombie Pigman

    Messages:
    748
    Why are you registering in first place if you're afraid of revealing your password? I've always laughed at people who passwords got compromised in social site or minecraft server network. IMO you shouldn't adjust system, adjust users! Everyone knows basic precaution like don't use the same passwords across applications and when creating new password, make them long, complex, but memorizable (password is a bad password).

    The second thing I hate, after Trump is a human factor.
     
    Last edited: Nov 21, 2016
    dktapps and HimbeersaftLP like this.
  7. SOFe

    SOFe Administrator Staff Member PMMP Team Poggit Admin

    Messages:
    1,968
    GitHub:
    sof3
    SMS 2FA is considered insecure, and some countries even plan to legislate on banning them as means of authentication.

    I think the whole talk about hashing passwords is needless. As long as it is not too obvious and is salted with the username, it is OK. While we can't even solve the problems of preventing the server admins from intercepting your password, why talk so much about potential hackers who invade the databases that are surely much more difficult to hack into?
     
    Primus and HimbeersaftLP like this.
  8. Jack Noordhuis

    Jack Noordhuis Zombie Pigman Poggit Reviewer

    Messages:
    618
    GitHub:
    JackNoordhuis
    An authentication implementation should be by no means simple whilst handling sensitive information.

    HereAuth has a bunch of 'extra' features like being able to import other auth plugins' existing database info and config defined registration steps. These aren't needed in a plugin that implements a secure authentication service with the least amount of optional features that aren't always needed.
     
    HimbeersaftLP likes this.
  9. Daltontastic

    Daltontastic Spider Jockey

    Messages:
    28
    Did you just say hashing passwords is "needless"? You sound like LBSG
     
    HimbeersaftLP likes this.
  10. SOFe

    SOFe Administrator Staff Member PMMP Team Poggit Admin

    Messages:
    1,968
    GitHub:
    sof3
    What is the exact problem of them? If you don't use the commands or enable them in the config, they won't even be run at all. And everything is separated into appropriate namespaces, so it's fine if you don't want to read them.
     
    HimbeersaftLP likes this.
  11. Jack Noordhuis

    Jack Noordhuis Zombie Pigman Poggit Reviewer

    Messages:
    618
    GitHub:
    JackNoordhuis
    He said the talk about hashing passwords is needless. Read and re-read if the post seems utterly stupid just so you know you didn't misread it.
     
    HimbeersaftLP likes this.
  12. SOFe

    SOFe Administrator Staff Member PMMP Team Poggit Admin

    Messages:
    1,968
    GitHub:
    sof3
    No. I mean the paranoia about finding the strongest hash is as needless as trying to wire a redstone button password protected iron door in multiplayer survival mode. It is indeed still useful against thieves who don't want to trigger the BUD behind the door or against mobs.
     
    HimbeersaftLP likes this.
  13. Daltontastic

    Daltontastic Spider Jockey

    Messages:
    28
    I was just showing an example of PHP's PASSWORD_DEFAULT hashing functionality. It's future proof and backwards compatible. Plus super simple to use.

    People use specific SHA512 with their own salt, but this method generates a unique one each time, and whenever a stronger hashing method comes out it rehashes it for you.
     
    HimbeersaftLP likes this.
  14. Jack Noordhuis

    Jack Noordhuis Zombie Pigman Poggit Reviewer

    Messages:
    618
    GitHub:
    JackNoordhuis
    There is no problem when using the plugin as a plugin, it's when it comes to going through the source and using it as a means to learn it becomes unnecessary. If someone is learning to code it is a hell of a lot easier to read through code that is direct and 'gets to the point' (no features or implementations they may have never heard of or never used) so they can actually learn.

    This thread was supposed to be a suggestion for a resource, not a full-fledged authentication plugin to outdo every other plugin of its type.
     
    HimbeersaftLP likes this.
  15. SOFe

    SOFe Administrator Staff Member PMMP Team Poggit Admin

    Messages:
    1,968
    GitHub:
    sof3
    I don't think an official plugin needs to be an example plugin. You can make a plugin that only has basic functions to demonstrate what you said, but why should the official one auth plugin be a simple example plugin?
     
  16. Jack Noordhuis

    Jack Noordhuis Zombie Pigman Poggit Reviewer

    Messages:
    618
    GitHub:
    JackNoordhuis
    SimpleAuth was an example of a good, easy to use API whilst being a secure authentication plugin.

    You could create another plugin implementing these features if you wanted too but it makes more sense to update/rewrite SimpleAuth due to it being used and some people wanting it updated.
     
  17. Primus

    Primus Zombie Pigman

    Messages:
    748
    No one is going to steal the freakin' passwords! Who needs minecraft profiles? Kids! Can they do something to get them? Probably no! Should we hash the passwords? Yes, just to be sure. How do we hash them? Use anything, even md5 would fit the needs, but I would personally prefer bcrypt. I feel like You're trying to put a Lego brick in worlds safest vault.

    Another yet pointless thread.
     
  18. Daltontastic

    Daltontastic Spider Jockey

    Messages:
    28
    How does your reply contribute to this conversation
     
  19. Primus

    Primus Zombie Pigman

    Messages:
    748
    By highlighting the reason why no one should waste their time :p
     
    SOFe likes this.
  20. Thunder33345

    Thunder33345 Moderator Staff Member

    Messages:
    2,137
    GitHub:
    Thunder33345
    Just a side note it is bad to hash the hash of a hash
     
    Daltontastic and dktapps like this.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.