MyLogin
MyLogin is a lightweight authentication plugin for Minecraft servers. It provides secure password-based login, strong pre-login protection, IP-based auto login.
🔐 MyLogin
MyLogin is a lightweight authentication plugin for Minecraft servers. It provides secure password-based login, strong pre-login protection, IP-based auto login, and migration support from the Passky plugin.
📖 Project Background
This plugin was created because the Passky authentication plugin had not received updates for several months. MyLogin was developed as a simple alternative that allows servers to continue using their existing player data while maintaining compatibility with newer Paper versions.
MyLogin supports migration of Passky SHA-256 password data, allowing servers to transition without forcing players to register again.
✨ Features
- 🔑 Password-based player authentication
- 🔄 Migration support from Passky (SHA-256 password hashes)
- ⏱ Configurable login timeout
- 🚫 Maximum login attempt protection
- 🌐 Optional IP-based auto login
- 🚪 Logout command support
- 🛠 Admin password management tools
- 👁 Blindness effect before login
- 🎆 Firework effect after successful login
- 📄 YAML-based player data storage
📦 Requirements
- Server: Paper
- Supported versions: 1.21.4 – 1.21.11
- Java: 21+
📜 Commands
| Command | Description | Usage |
|---|---|---|
/login | Log in to your account | /login <password> |
/register | Register a new account | /register <password> <password> |
/changepassword | Change your password | /changepassword <old> <new> |
/logout | Log out of your current session | /logout |
Administrative Commands
| Command | Description | Permission |
|---|---|---|
/migrate | Import legacy user data (Passky migration) | mylogin.admin |
/resetpassword | Reset a player's password | mylogin.admin |
/deleteplayer | Delete a player's login data | mylogin.admin |
/mylogin reload | Reload plugin configuration | mylogin.admin |
🔑 Permissions
| Permission | Description | Default |
|---|---|---|
mylogin.admin | Allows access to administrative commands | OP |
Administrators with this permission can:
- migrate legacy accounts
- reset player passwords
- delete player authentication data
- reload plugin configuration
Example Usage
Register a new account:
/register mypassword mypassword
Log in:
/login mypassword
Admin resets a password:
/resetpassword Steve newpassword
Admin deletes a player's login data:
/deleteplayer Steve
⚙️ Configuration
The plugin configuration file is located at:
plugins/MyLogin/config.yml
Example Configuration
login-timeout-seconds: 300
max-login-attempts: 5
min-password-length: 4
max-password-length: 32
max-attempts: 5
ip-remember: true
ip-remember-timeout: 86400
messages:
auto-login-success: "&aWelcome back! You were logged in automatically."
effects:
blind: true
firework: true
Setting Explanation
Login Timeout
login-timeout-seconds: 300
How long a player can stay on the server without logging in before being kicked.
Example:
300 seconds = 5 minutes
If the player does not run /login or /register within this time, they will be kicked.
Failed Login Attempts
max-login-attempts: 5
max-attempts: 5
Maximum number of incorrect password attempts before the player is kicked.
This protects against:
- brute force attacks
- password guessing
Password Length
min-password-length: 4
max-password-length: 32
Controls the allowed password length when players register.
Example:
/register mypassword mypassword
Passwords shorter than the minimum or longer than the maximum will be rejected.
IP Auto Login
ip-remember: true
ip-remember-timeout: 86400
If enabled, players who logged in previously from the same IP will automatically log in.
Timeout value is in seconds.
Example:
86400 seconds = 24 hours
After this time expires, the player must log in again.
Auto Login Message
messages:
auto-login-success: "&aWelcome back! You were logged in automatically."
Message sent to players when they are automatically logged in using the IP remember system.
Supports Minecraft color codes using &.
🎇 Login Effects
effects:
blind: true
firework: true
Controls visual effects used by the plugin.
blind
- Applies blindness to players who are not logged in.
firework
- Plays a firework effect when the player successfully logs in.
Notes
- Configuration changes require a server restart or plugin reload.
- All values are safe to modify.
- Color codes use the standard Minecraft format (
&a,&c, etc).
🔄 Migration from Passky
MyLogin supports migrating existing user accounts from the Passky authentication plugin.
This allows servers previously using Passky to switch to MyLogin without forcing players to reset their passwords.
Supported Format
MyLogin reads the legacy Passky user file:
plugins/MyLogin/Migration/old-users.yml
Each user entry must contain:
username:
hash: <password-hash>
algo: SHA-256
salt: <salt>
Only SHA-256 hashes are supported.
Migration Process
- Copy your Passky user file into:
plugins/MyLogin/Migration/old-users.yml
-
Start the server.
-
MyLogin will automatically import the accounts.
Example File
Steve:
hash: a6c9e0c3e9b5...
algo: SHA-256
salt: 9f12ab
Migration Logs
After migration, a report will be generated:
plugins/MyLogin/Migration/migration-log.yml
This file contains:
migrated:
- Steve
- Alex
skipped:
Notch: unsupported algorithm
Notes
- Existing MyLogin users will not be overwritten.
- Only valid SHA-256 hashes will be migrated.
- Invalid or unsupported entries will be logged and skipped.
📂 User Data Storage
MyLogin stores player authentication data in a YAML file.
Location:
plugins/MyLogin/data/users.yml
Each player is stored using their Minecraft username.
Example
Steve:
hash: 7f3c9e4c9b2d...
salt: 2c4a9f81
algo: SHA-256
ip: 192.168.1.10
registered: true
logged-in: false
attempts: 0
last-login: 1715002000
Field Explanation
| Field | Description |
|---|---|
hash | Password hash |
salt | Random salt used for hashing |
algo | Hash algorithm used |
ip | Last known player IP |
registered | Whether the player has registered |
logged-in | Current login state |
attempts | Failed login attempts |
last-login | Timestamp of last successful login |
Password Security
MyLogin uses salted SHA-256 hashing.
Process:
hash = SHA256(password + salt)
Each player receives a unique random salt generated during registration.
This prevents:
- ✨ table attacks
- identical password hashes between users
Login Tracking
The plugin stores:
last-login
as a UNIX timestamp (seconds).
This is used for features such as:
- IP-based auto login
- login timeout systems
Failed Login Attempts
The field:
attempts
tracks how many failed login attempts a player has made.
This can be used for:
- login throttling
- temporary lock systems
- security monitoring
Important Notes
- User data is stored using player names, not UUIDs.
- The file is automatically created on first startup.
- Changes are saved immediately after registration or login state changes.
📄 License
MIT License
