Security

Password Hashing

mineLogin supports multiple password hashing algorithms. Configure the hashing method in the passwords-security section:

passwords-security:
  hash-type: BCRYPT
  salt-for-passwords: false
  delete-password-after-change-account-type: true

Algorithm	Description
`BCRYPT`	Industry-standard, recommended for most setups
`ARGON2`	Memory-hard algorithm, strongest option
`SHA512`	Fast cryptographic hash
`SHA256`	Fast cryptographic hash
`MD5`	Legacy support only, not recommended

Option	Type	Default	Description
`hash-type`	Enum	`BCRYPT`	Password hashing algorithm
`salt-for-passwords`	Boolean	`false`	Add an additional salt to passwords
`delete-password-after-change-account-type`	Boolean	`true`	Remove password when switching to premium

Password Restrictions

passwords-security:
  password-restrictions:
    minimum-password-length: 6
    maximum-password-length: 16
    regex: "^[a-zA-Z0-9!%&#@*]*"

Option	Type	Default	Description
`minimum-password-length`	Integer	`6`	Minimum allowed password length
`maximum-password-length`	Integer	`16`	Maximum allowed password length
`regex`	String	`^[a-zA-Z0-9!%&#@]`	Regex pattern for allowed password characters

Blocked Passwords

Common passwords can be blocked in blocked-passwords.yml:

blocked-passwords:
  - "password"
  - "password123"
  - "123456"
  - "qwerty"

Brute Force Protection

mineLogin automatically protects against brute force attacks by limiting login and recovery attempts.

Attempt Limits

limits:
  login-attempts: 3
  recovery-code-attempts: 3
  accounts-per-address: 2
  accounts-per-address-check-type: ON_JOIN

Option	Type	Default	Description
`login-attempts`	Integer	`3`	Max login attempts before action is taken
`recovery-code-attempts`	Integer	`3`	Max recovery code attempts before action
`accounts-per-address`	Integer	`2`	Max accounts allowed per IP address
`accounts-per-address-check-type`	Enum	`ON_JOIN`	When to check IP limit (`ON_JOIN` or `ON_REGISTER`)

IP Banning

security:
  ban-ip-on-max-login-attempts: true
  ban-ip-on-max-recovery-attempts: true
  ip-ban-time: "30m"

Option	Type	Default	Description
`ban-ip-on-max-login-attempts`	Boolean	`true`	Ban IP after exceeding login attempts
`ban-ip-on-max-recovery-attempts`	Boolean	`true`	Ban IP after exceeding recovery attempts
`ip-ban-time`	Duration	`30m`	Duration of the IP ban

Tip: Use /ml unban <ip> to manually unban an IP address.

Two-Factor Authentication (2FA)

mineLogin supports TOTP-based two-factor authentication using apps like Google Authenticator or Authy.

Configuration

verification:
  enabled: false
  require-permission: false
  permission: ""
  create-verification-timeout: "1m"
  verification-confirm-timeout: "30s"
  session-active-time: "3d"
  auto-enable-session: false

Option	Type	Default	Description
`enabled`	Boolean	`false`	Enable 2FA support
`require-permission`	Boolean	`false`	Only allow players with a specific permission to use 2FA
`permission`	String	`""`	Permission node that forces 2FA setup
`create-verification-timeout`	Duration	`1m`	Time to complete 2FA setup
`verification-confirm-timeout`	Duration	`30s`	Time to enter a TOTP code during login
`session-active-time`	Duration	`3d`	Duration of trusted 2FA sessions
`auto-enable-session`	Boolean	`false`	Auto-enable session after 2FA verification

How It Works

Player runs /verification enable to start 2FA setup
The plugin generates a TOTP secret and shows a setup key
Player scans the key with an authenticator app
Player confirms with /verification enable <code>
The plugin generates 6 recovery codes as backup
On future logins, the player must enter a TOTP code with /verification verify <code>

Recovery Codes

When 2FA is enabled, 6 alphanumeric recovery codes are generated. These can be used to disable 2FA if the authenticator app is lost.

2FA Sessions

Similar to login sessions, 2FA sessions allow skipping the TOTP code on trusted IP addresses. Toggle with /verification session.

Captcha

mineLogin supports captcha verification during registration to prevent automated account creation.

other-settings:
  captcha: true
  captcha-type: CHAT

Type	Description
`CHAT`	A text-based captcha code displayed in chat. Player must type it as part of the `/register` command
`MAP`	An interactive map-based captcha rendered on the backend server (requires the bridge plugin)

Geolocation Blocking

Restrict access based on player IP geolocation.

geo-location:
  enabled: false
  available-countries:
    - "PL"
    - "FR"
    - "US"
    - "GB"

Option	Type	Default	Description
`enabled`	Boolean	`false`	Enable geolocation restrictions
`available-countries`	List	`["PL", "FR", "EN", "US", "GB"]`	Allowed country ISO codes

Administrators can manage the geolocation whitelist per IP:

/ml geolocation check <ip> — check if an IP is whitelisted
/ml geolocation add <ip> — add an IP to the whitelist
/ml geolocation remove <ip> — remove an IP from the whitelist

Session System

The session system allows players to skip password entry on trusted IP addresses.

other-settings:
  session-active-time: "3d"
  auto-enable-session: false

Option	Type	Default	Description
`session-active-time`	Duration	`3d`	How long a session remains valid
`auto-enable-session`	Boolean	`false`	Automatically enable sessions on login

How Sessions Work

Player logs in normally with /login
Player runs /session to enable trusted session
On next login from the same IP within the session duration, the password is skipped
If the IP changes, the session is invalidated
Sessions persist across server restarts

Nickname Restrictions

other-settings:
  nickname-allowed-regex: "[a-zA-Z0-9_]+"

Players with nicknames that do not match the configured regex pattern will be denied access.

other-settings:
  login-timeout: "30s"

Players who do not authenticate within the configured timeout are automatically kicked from the server.