In addition to what everyone else said, if you are hosting a server, authlib-injector is a thing that switches the auth server from Mojang to something else, meaning that there is actual verification of identity beyond just username.
Multiyggdrasil is a fork of that that lets you use both Mojang and another auth server for maximum compatibility and security with friends.
As someone who has run an offline mode server, it's a question of when, not if, you get griefed
In addition to what everyone else said, if you are hosting a server, authlib-injector is a thing that switches the auth server from Mojang to something else, meaning that there is actual verification of identity beyond just username.
Multiyggdrasil is a fork of that that lets you use both Mojang and another auth server for maximum compatibility and security with friends.
As someone who has run an offline mode server, it's a question of when, not if, you get griefed