Secure an Offline-Mode Server with OpeNLogin

Why Offline Mode Exists

Setting online-mode=false in server.properties skips Mojang's authentication handshake. Two legitimate reasons to want this:

1. 1 BungeeCord backend (the proxy handles auth)
2. 2 Supporting players on cracked clients

On a standalone offline server, anyone can type your username, log in, and run your console commands. You must layer a password on top.

OpeNLogin

OpeNLogin intercepts new connections and forces every player to register a password, then re-authenticate on every reconnect.

Install

1. 1Stop the server
2. 2Drop OpeNLogin.jar into /plugins/
3. 3Start the server, OpeNLogin generates /plugins/OpeNLogin/config.yml

First-Time Flow

A new player joins → OpeNLogin shows a clickable chat message:

1. 1Player clicks → finalizes registration → server kicks them once (intentional)
2. 2Player reconnects → server prompts /register <password> <password>
3. 3From now on every login starts with /login <password>

Until they authenticate they can't move, chat, or run commands. Spoofing a staff name does nothing without the password.

Recommended config.yml Tweaks

session-timeout: 600           # seconds before re-auth required
max-login-attempts: 3
kick-after-failed-attempts: true
min-password-length: 8
require-uppercase: true
require-digits: true

Combine With SkinRestorer

Side effect of offline mode: every player renders as default Steve/Alex. Add SkinRestorer to fetch real skins from the Mojang API by username.

Need More Help?

Players locked out and can't reset? Run /openlogin reset <player> from console. Stuck? Ask in Discord.