By 'bulky' I mean it implements a bunch of features that only certain servers will use. SimpleAuth was simple, it was a valuable resource for learning developers because it did what an auth plugin needs to do and nothing more. The reason I suggested PMMP have it's own official auth plugin that is supported by the PMMP team is that it will stay up to date, work with PMMP and its users would feel safer using a plugin backed/made by the maintainers of PMMP itself. The plugin wouldn't need to be feature packed and be the most secure thing ever to be created, it would be a clean, open source resource for the community (or at least that's what I had in mind when I made this thread ).
Like I told you before, you should hash the password as soon as you get it so you don't send plain text passwords. You should hash the password in the API implementation itself to avoid any possible loopholes that may exist in your 'secure connection'.
As I told you before that is overkill. If you are utilizing SSL you don't need to double hash the password though it wouldn't hurt either. On a side note I was demonstrating how to hash, verify, and rehash. Read http://security.stackexchange.com/a/64639
An auth plugin shouldn't be simple. It should be secure. For example, multi-factor authentication is a method for better security. What SimpleAuth lacks is asynchronous queries that ensure performance, and async queries already make it not simple.
Why are you registering in first place if you're afraid of revealing your password? I've always laughed at people who passwords got compromised in social site or minecraft server network. IMO you shouldn't adjust system, adjust users! Everyone knows basic precaution like don't use the same passwords across applications and when creating new password, make them long, complex, but memorizable (password is a bad password). The second thing I hate, after Trump is a human factor.
SMS 2FA is considered insecure, and some countries even plan to legislate on banning them as means of authentication. I think the whole talk about hashing passwords is needless. As long as it is not too obvious and is salted with the username, it is OK. While we can't even solve the problems of preventing the server admins from intercepting your password, why talk so much about potential hackers who invade the databases that are surely much more difficult to hack into?
An authentication implementation should be by no means simple whilst handling sensitive information. HereAuth has a bunch of 'extra' features like being able to import other auth plugins' existing database info and config defined registration steps. These aren't needed in a plugin that implements a secure authentication service with the least amount of optional features that aren't always needed.
What is the exact problem of them? If you don't use the commands or enable them in the config, they won't even be run at all. And everything is separated into appropriate namespaces, so it's fine if you don't want to read them.
He said the talk about hashing passwords is needless. Read and re-read if the post seems utterly stupid just so you know you didn't misread it.
No. I mean the paranoia about finding the strongest hash is as needless as trying to wire a redstone button password protected iron door in multiplayer survival mode. It is indeed still useful against thieves who don't want to trigger the BUD behind the door or against mobs.
I was just showing an example of PHP's PASSWORD_DEFAULT hashing functionality. It's future proof and backwards compatible. Plus super simple to use. People use specific SHA512 with their own salt, but this method generates a unique one each time, and whenever a stronger hashing method comes out it rehashes it for you.
There is no problem when using the plugin as a plugin, it's when it comes to going through the source and using it as a means to learn it becomes unnecessary. If someone is learning to code it is a hell of a lot easier to read through code that is direct and 'gets to the point' (no features or implementations they may have never heard of or never used) so they can actually learn. This thread was supposed to be a suggestion for a resource, not a full-fledged authentication plugin to outdo every other plugin of its type.
I don't think an official plugin needs to be an example plugin. You can make a plugin that only has basic functions to demonstrate what you said, but why should the official one auth plugin be a simple example plugin?
SimpleAuth was an example of a good, easy to use API whilst being a secure authentication plugin. You could create another plugin implementing these features if you wanted too but it makes more sense to update/rewrite SimpleAuth due to it being used and some people wanting it updated.
No one is going to steal the freakin' passwords! Who needs minecraft profiles? Kids! Can they do something to get them? Probably no! Should we hash the passwords? Yes, just to be sure. How do we hash them? Use anything, even md5 would fit the needs, but I would personally prefer bcrypt. I feel like You're trying to put a Lego brick in worlds safest vault. Another yet pointless thread.