If I run a server with offline-mode=false, hide-online-players=true and white-list=true, how easy would it be for an attacker to find out which names are whitelisted to join with a whitelisted name? Is it brute-force hard or does the server leak that info somewhere? How to secure an offline mode server against this?
I’d recommend a separate authentication plugin independent of Mojang accounts. For example this one (didn’t test it myself).