Personally I agree how they monopolize auth plugins such that the only auth plugin is SimpleAuth, and it uses a quite secure method to hash passwords before saving (adding salt, encrypting with whirlpool and SHA-512, combining them). Some say that passwords should be saved in plaintext because that favors owners to replace passwords for players. But actually, you can just replace the hash by the correct one. It is easy to get the hash. (There will be a hash page on http://PEMapModder.zapto.org/SimpleAuthHash.PHP soon) Then some say that when players forget their passwords, owners can get the password and send it to the players. But how can the owner confirm that it is the old player? What if he accidentally leaked the password to someone who is just an imposer? We must not exclude the factor that there exists this kind of stupid owners around (no offense if that's you). Moreover, look at all those popular websites around with the "forgot password" button. They just ask you to set a new password, not send you the old one. One never feels comfortable if he knows another person knows his password. Personally, only my parents know my password. And then, some may say that players should trust the owners, but I highly doubt so. There are new servers every day, and apparently players join them. These new servers may be made by people who are first time in the Minecraft community. (If you need proof, go to the MCPE Servers section on minecraftforum.net) How can players trust an owner that they first time see them? If they have to trust him/her to join, these servers will never have players. Even if the players use a new password there, you can't expect players to memorize a new password for each server. They would generally use the same password on most, if not all, servers. Then it is equally important to secure their passwords, whether they are real passwords or not. The community joins servers, based on the faith to servers that they won't read their passwords. And an important factor of such faith is because of how SimpleAuth is monopolized (maybe this is a negative word, but I am using its good meaning), that a lot know that only SimpleAuth is used by most servers (as you know, writing an auth plugin requires something more than basic programming skills). Then they feel comfortable since most servers won't get their passwords. What are your opinions?