Cracked vs Premium Minecraft Servers: What's the Difference?

A "cracked" server lets people connect without a paid Minecraft account. A "premium" server only allows verified accounts. The difference comes down to one line in `server.properties`:

``` online-mode=true # premium only online-mode=false # cracked allowed ```

When this is `true`, your server pings Mojang's auth servers and rejects anyone who isn't logged into a real account. When it's `false`, anyone with the IP and a Java client can connect under any username.

Why People Run Cracked Servers

• Bigger pool of players — especially in regions where Minecraft is expensive
• Friends can join without buying the game
• No Mojang dependency — works even if Mojang's auth servers go down

The Real Costs of Going Cracked

1. Username spoofing

Anyone can join as "Notch" or as your moderator's username. Without auth, the only thing tying a player to a name is the name itself.

2. Skin theft

Cracked clients can wear any skin without owning the account. Cosmetic exclusivity disappears.

3. Account-bound permissions break

If your op list has `Steve` on it, *anyone* can log in as Steve and run /op commands. Same for LuckPerms admin groups.

4. Higher hacker rate

Players who play cracked are more likely to also use cracked clients with built-in cheats. Anti-cheat workload goes up.

5. EULA gray area

Mojang's EULA technically requires premium auth. They rarely enforce it on small servers, but you can't run cracked and monetize — you'll lose voting site listings and face takedowns if reported.

How to Run Cracked Safely

If you've decided cracked is worth it, you must install an auth plugin:

AuthMe (the standard)

``` /register /login ```

Players can't move, chat, or interact until they log in. Passwords are bcrypt-hashed in the database.

NLogin (modern alternative)

Better UI, supports premium auto-login (if a player has a real account, they skip the password), 2FA via Discord. Worth the $5 one-time fee.

Required configuration

• Set a session timeout (15–60 min) so players don't have to retype on every reconnect
• Enable registration captcha to block bots
• Whitelist staff to prevent any cracked impersonation
• Lock op/admin permissions to specific UUIDs, not usernames

Hybrid: Premium-Auth Through a Proxy

A common 2026 setup: run Velocity in online-mode=true, but allow Geyser/Floodgate Bedrock players in. Floodgate gives them deterministic UUIDs prefixed with `.` so they can't impersonate Java accounts.

This gives you cross-play *without* truly going cracked. See our Velocity setup guide.

Chargebacks

Cracked players who buy ranks (in violation of EULA, but it happens) chargeback through PayPal more often. They have nothing to lose — no Microsoft account at risk. If you take donations, expect a higher dispute rate.

Should You Go Cracked?

| Situation | Recommendation | | --- | --- | | Small private SMP for friends | Premium | | Public competitive PvP server | Premium | | Faction/MMO/RPG with monetization | Premium | | Casual server in a low-income region | Cracked + AuthMe | | Building a portfolio / no-money project | Either |

For most server owners reading this in 2026: stay premium. The headaches aren't worth the larger player pool, and most voting sites (including ServerList.cc) flag cracked servers anyway.

If you do go cracked, treat the auth plugin as critical infrastructure — never let it lapse.