I my attempt to write my travel stories in internet cafés without worries I wrote the Login Virtual Keyboard plugin sometime ago. However, using a virtual keyboard to prevent keylogging is somewhat clumsy and is still not entirely safe.
To improve safety I recently wrote the One-Time Password plugin that enables me to login to my weblog using passwords which are valid for one session only, so my main WordPress password cannot be stolen. The plugin is simple to use, just install it, generate a password list and you can start logging-in using one-time passwords.
For even more safety, I added the possibility to protect administrative actions with one-time passwords in version 2.
Amit Banerjee wrote an excellent guide to setup the plugin.
Update: this plugin is one of the 11 12 13 Vital Tips and Hacks to Protect Your WordPress Admin Area.
 Login |
 List |
 Generator |
 Authorize |
Hello, I wonder if I can use a user subscriber instead of an administrator, and from where you have to change.
Gracias
I am not sure what you mean, but the plugin is multi-user, so any WordPress user can login with his/her own OTP-codes.
Hello, you need to know, if I can plugin User defined for a user other than administrator, and as it should do, because it gives me the option to choose the user.
thank you very much
But let me just user admin User defined.
and choose another user?
I still don’t understand what you want, sorry.
Hi
When I try to install it – WordPress tells me:
Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/tmp//one-time-password.tmp) is not within the allowed path(s): (/var/www/web189/) in /var/www/web189/web/album/wp-includes/functions.php on line 2340
Warning: touch() [function.touch]: SAFE MODE Restriction in effect. The script whose uid is 10749 is not allowed to access /tmp owned by uid 0 in /var/www/web189/web/album/wp-admin/includes/file.php on line 177
Warning: is_writable() [function.is-writable]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/www/web189/) in /var/www/web189/web/album/wp-includes/class-http.php on line 145
Warning: unlink() [function.unlink]: SAFE MODE Restriction in effect. The script whose uid is 10749 is not allowed to access /tmp owned by uid 0 in /var/www/web189/web/album/wp-admin/includes/file.php on line 50
How do I avoid this? I have no programming skills
This problem is most probably not specific to the One-Time Password plugin. Your hosting provider doesn’t allow writing in the folder /tmp, which the WordPress installer tries to do to install a plugin (but also when installing themes and the WordPress core itself).
You will have to ask support from your hosting provider for this.
Can you make this plugin work with protected posts.
I want users to access a protected post with a random password that i will send them via sms to use once.
The goal of this plugin is to login with one-time passwords.
Generating one-time random passwords for protected posts is too far from this goal, sorry.
Hi, the good news is that it’s working great even on WP 3.0.4. The bad one is that it’s working only with admin account (that I usually I avoid to use). With admin starts from higher #sequence (49 than 48 and so on), with other users starts from 1 and everything I insert (but the wp clean password) isn’t accepted.
(I used SHA1 instead of MD5).
Last thing, I saw TWO different “One-Time Password” menu item: one you explained under settings and another with users list and a “generate” button under Tools.
Some hints?
Thanks and congrats,
A.
I just tested with a user in the ‘Subscriber’ role with both MD5 and SHA1 algorithms without any problems. Maybe you have a conflicting plugin or a specific installation that is incompatible with the plugin. If you are willing to give me login details, I would like to debug this issue.
Thanks Marcel. I gave a shot with firebug and I noticed that a adwords stat plugin just interrupted the js chain. Now it works fine.
Thank you
A.
The tools menu is for batch generating One-Time Passwords for other users.
Got it thanks
I am interested in using this plug-in but for a different purpose. We have a blog/website development for a client that requires we give a client a password to view the site, but once that password is used they cannot use it again. Basically securing the site from being shared to unauthorized viewers. Your plugin is exactly what I need with the exception being that I want to prevent access to the site itself unless a one-time password is entered. Can your code be modified to function this way? If not any ideas on what I can use to perform this functionality? Thanks and best regards, Troy
Sorry for the late reply, but I was traveling until yesterday. I didn’t test it, but I guess you can achieve what you want by combining the One-Time Password plugin with the Force User Login or similar plugin. I guess you want to check the ‘Disable normal login’ option of the One-Time Password plugin in this case.
wow. thanks for that plugin. but i have a prob.
i dont know if it’s just me being dumb or not, but i cant find where the list is. was i supposed to print the page, or at least write the passwords down? because i cant see the list.
After you have generated the list using the settings of the plugin, you will land at the bottom of the list were you will find the print button.
Trying to setup plugin with OTPGen, I cannot to set the pass-phrase. Clicking Generate button results in Invalid pass-phrase error code. If I clear Is One-Time Password checkbox, the OTP list is generated for printing. But if this checkbox is set, the error occures. I use WordPress 3.0, latest apache and php included with CentOS 5. Would you like to improve this plugin to work with it? I’ll be glad to contact you and send you additional information required for debugging.
If you check ‘Pass-phrase is a One-Time Password’, the password should be from your current OTP list (printed or not) with the correct sequence number (look for it in the ‘Revoke One-Time Password list’ section). In this case no new list for printing will be show.
If you still get an error, let me know, but be sure to include the error message.
Thank you for reply.
I have managed to generate authentication information properly. I have generated the list of passwords and then have chosen one of the passwords from the list and regenerated information with no more OTP password print list as the result.
I have installed j2me-otp application to my mobile phone and tried to login. But password phrases generated by phone were not accepted by login form. I have to login using my main password.
There are three fields to be filled in at j2me-otp application screen:
password, sequence and challenge.
As I have understood, the password is that pass-phrase that I have chosen from the OTP print list for generating passwords 2nd time; sequence – is a number that is displayed at the login prompt; and challenge – is a seed/code displayed at login prompt.
Am I right?
Do I have to type in full pass-phrase into j2me-otp or can I use hex value? The same question for generating passwords 2nd time.
What you do seems correct to me. Maybe j2me-otp uses MD4 instead of MD5. You could look if you can change that. You can also try OTPGen. Maybe others are interested in this too, so could you please report back what works and what not?
I have tried the original java version (not j2me) of jotp at http://www.cs.umd.edu/users/harry/jotp/
I have tried generating md4 and md5 passwords using it (login prompt asks for otp-md5), but generated passwords were not accepted.
j2me-otp uses md5, as stated in its desription.
I will try with another pass-phrase, as it made me now doubt about writing current phrase correctly.
OTPGen will not generate passwords on my phone. OK button accepts pass-phrase and then does nothing.
I have tried using full pass-phrases and hex hashes and combinations of them. Still no luck logging-in using OTP.
Tried with jotp and with j2me-otp.
Plugin does not display any error during password generation process.
Printed OTP codes do work correctly.
I can login and authorize administrative actions with them.
It seems I may do something wrong when typing data into the OTP software.
Nice work, this plugin works fine, and OTPGen do. But only some seed works on OTPGen symbian. You have to try some couple of seed to make it work.
No, I don’t do anything wrong with the software.
Just tried to generate printed phrases and it generates them correctly, just as printed.
The pass-phrase should match with what you choose when generating the list. If you use the correct sequence and seed it should work (I just tried it with an Android application to be sure). Maybe j2me-otp simply does not conform to RFC 2289.
Hello,
First of all thank you so much for nice a handy plug-in.
I logined as admin via otp, but when I try to logout it says :
Uri: /wp/wp-login.php?action=*&_wpnonce=*
User: admin
Password:
Challenge: otp-md5 45 37x67m7k51s2u9k
And it gives a javascript back link.
What can be the problem ?
Thanks in advance.
Try to adjust the values in the ‘Do not protect’ section of the options and let me know if it helps.
Change at least ‘/wp-login.php’ into ‘/wp/wp-login.php’, but all values should be changed probably.
Well it did not work.
I would like to reset OTP stored data. And couldn’t find any table in phpmyadmin.
I deleted otp folder and put back from zip, but it didn’t help.
And I will try again.
Thanks.
If you want to delete all OTP data, login (not using OTP), check the OTP option ‘Delete data on deactivation’ and deactivate the plugin. After activating the plugin again, all data will be reset. The data is stored in a few options, not in a table. The OTP data is generated when needed.
Can you sent me the url where your ‘Log Out’ link is pointing to (without nonce) ?
Did you change ‘/wp-login.php?action=*&_wpnonce=*’ into ‘/wp/wp-login.php?action=*&_wpnonce=*’ too?
I checked the box and deactivated. And reactivated, now everything is going fine.
I think I used to mis-configure settings. So right now it doesn’t give any error when click logout.
Is there anyway to make short otp passwords ? For ex, something shorter than LAY GURU DUNK JOCK SKEW COAL. Users won’t like spaces and length. 7-8 characters may be great. I tried but couldn’t generate.
Best of all from the capital city of Turkey, Ankara.
Nice that it works now!
I cannot change the length of the passwords without violating RFC 2289. Besides that deviating from security standards is never a good plan.
Try resetting ‘Do not protect’ to the default values (use the link below it) using version 2.8.6 of the plugin.
Dear Marcel,
Is there a way to make shorter hex or word values, means can I make Pass-phrase shorter ?
This question has been answered already, see comment above.
Ups sorry.
Thanks for attention
hi, i wanted to use this password protection for a specific page, not in all page, is it possible by this plug-ins?
The One-Time Password plugin is meant to protect your weblog. I don’t see why it could be useful to protect a specific page. Maybe you can elaborate on what you are trying to accomplish.
in our web site, we wanted to have a page which is password protected and only invited user can see the page. so I wanted to use one time password to view that page.
Maybe I will realize this feature in the future, but it is not very high on the priority list.
Hello
I feel really funny about this ….
I installed your plugin, sent to settings and did everything and then pressed Generate.
But … where is the list of passwords supposed to go? Where am I supposed to pick it up, because there’s no list on the same page (ie settings page where I supposedly generated them).
Am I supposed to go to another page to pick up the list? (scratching head)
Thanks in advance.
The One-Time Password list should appear at the top of the same page, but the page is positioned in such a way that the Print button below the list is visible. Maybe your password was too short, look for error messages near the generate button. If you still have trouble sent me a screen shot and I will try to help you further.
Hello there,
i always got 404 Error on Logon Screen. I use WP 2.8.2 DE Edtion from
here: http://wordpress-deutschland.org/download/
i have no idea why.
If you need german localization please contact me.
regards
Heiko
I guess the just released version 1.2 will fix your problem as well, please let me know.
A German translation would be very welcome! A Dutch .po file is included in the distribution.
Hi there,
Version 1.2 works fine. THanks.
Heiko
Hi, nice plugin. I have a problem cuz the plug don’t show in the login page the correct message but it show “Error 404″. Specification: wordpressmu 2.8.1
The plugin wasn’t tested with WordPress MU yet. Today (even before your comment) I installed WordPress MU (for the first time) and a little fix made the plugin work
. I just released version 1.2 of the plugin with this fix. Any feedback, positive or negative, would be appreciated.
wow, now your plugins works fine to WordPressMU. Thanks ALOT
Hi,
Sorry, but your plugin doesn’t work. When I actived it I got this message :
Parse error: syntax error, unexpected ‘{‘ in /homez.42/juriblog/www/wp-content/plugins/one-time-password/otp.php on line 48
My wordpress release is the 2.8.2 one.(php 4)
If you can do smth for me…
Thanks for reporting this problem.
It appears that the used PHP One-Time Passwords class is not compatible with PHP 4. I updated the plugin to check for the PHP version and added a warning to the description of the plugin (version 1.1).
I am sorry that I cannot solve this problem for you
Hi again,
Now your plugin (release 1.2) is OK for me. I rewrited my .htaccess file to use PHP 5.0.10 instead of 4.4.9 – Thanks for your work.
Now I’m going to learn how to use it.
the plugi nsounds great, gonna give it a try right now. but I am not 100% how it works. will I have to rememebr all those 1time passwords on the lsit and just use one whenever I need one?
The intention is to print the generate password list (look for the print button below the displayed list) and to use the password with the sequence shown in the login screen. See also the usage instructions in Other Notes.
thx. I totally missed out the other notes section. all clear now
I have improved the description of the plugin now.