I my attempt to write my travel stories in internet cafés without worries I wrote the Login Virtual Keyboard plugin sometime ago. However, using a virtual keyboard to prevent keylogging is somewhat clumsy and is still not entirely safe.
To improve safety I recently wrote the One-Time Password plugin that enables me to login to my weblog using passwords which are valid for one session only, so my main WordPress password cannot be stolen. The plugin is simple to use, just install it, generate a password list and you can start logging-in using one-time passwords.
For even more safety, I added the possibility to protect administrative actions with one-time passwords in version 2.
If you find this plugin useful, please vote for it on the WordPress Competition Blog.
Update: this plugin is one of the 11 12 13 Vital Tips and Hacks to Protect Your WordPress Admin Area.
 Login |
 List |
 Generator |
 Authorize |
wow. thanks for that plugin. but i have a prob.
i dont know if it’s just me being dumb or not, but i cant find where the list is. was i supposed to print the page, or at least write the passwords down? because i cant see the list.
After you have generated the list using the settings of the plugin, you will land at the bottom of the list were you will find the print button.
Trying to setup plugin with OTPGen, I cannot to set the pass-phrase. Clicking Generate button results in Invalid pass-phrase error code. If I clear Is One-Time Password checkbox, the OTP list is generated for printing. But if this checkbox is set, the error occures. I use WordPress 3.0, latest apache and php included with CentOS 5. Would you like to improve this plugin to work with it? I’ll be glad to contact you and send you additional information required for debugging.
If you check ‘Pass-phrase is a One-Time Password’, the password should be from your current OTP list (printed or not) with the correct sequence number (look for it in the ‘Revoke One-Time Password list’ section). In this case no new list for printing will be show.
If you still get an error, let me know, but be sure to include the error message.
Thank you for reply.
I have managed to generate authentication information properly. I have generated the list of passwords and then have chosen one of the passwords from the list and regenerated information with no more OTP password print list as the result.
I have installed j2me-otp application to my mobile phone and tried to login. But password phrases generated by phone were not accepted by login form. I have to login using my main password.
There are three fields to be filled in at j2me-otp application screen:
password, sequence and challenge.
As I have understood, the password is that pass-phrase that I have chosen from the OTP print list for generating passwords 2nd time; sequence – is a number that is displayed at the login prompt; and challenge – is a seed/code displayed at login prompt.
Am I right?
Do I have to type in full pass-phrase into j2me-otp or can I use hex value? The same question for generating passwords 2nd time.
What you do seems correct to me. Maybe j2me-otp uses MD4 instead of MD5. You could look if you can change that. You can also try OTPGen. Maybe others are interested in this too, so could you please report back what works and what not?
I have tried the original java version (not j2me) of jotp at http://www.cs.umd.edu/users/harry/jotp/
I have tried generating md4 and md5 passwords using it (login prompt asks for otp-md5), but generated passwords were not accepted.
j2me-otp uses md5, as stated in its desription.
I will try with another pass-phrase, as it made me now doubt about writing current phrase correctly.
OTPGen will not generate passwords on my phone. OK button accepts pass-phrase and then does nothing.
I have tried using full pass-phrases and hex hashes and combinations of them. Still no luck logging-in using OTP.
Tried with jotp and with j2me-otp.
Plugin does not display any error during password generation process.
Printed OTP codes do work correctly.
I can login and authorize administrative actions with them.
It seems I may do something wrong when typing data into the OTP software.
No, I don’t do anything wrong with the software.
Just tried to generate printed phrases and it generates them correctly, just as printed.
The pass-phrase should match with what you choose when generating the list. If you use the correct sequence and seed it should work (I just tried it with an Android application to be sure). Maybe j2me-otp simply does not conform to RFC 2289.
Hello,
First of all thank you so much for nice a handy plug-in.
I logined as admin via otp, but when I try to logout it says :
Uri: /wp/wp-login.php?action=*&_wpnonce=*
User: admin
Password:
Challenge: otp-md5 45 37x67m7k51s2u9k
And it gives a javascript back link.
What can be the problem ?
Thanks in advance.
Try to adjust the values in the ‘Do not protect’ section of the options and let me know if it helps.
Change at least ‘/wp-login.php’ into ‘/wp/wp-login.php’, but all values should be changed probably.
Well it did not work.
I would like to reset OTP stored data. And couldn’t find any table in phpmyadmin.
I deleted otp folder and put back from zip, but it didn’t help.
And I will try again.
Thanks.
If you want to delete all OTP data, login (not using OTP), check the OTP option ‘Delete data on deactivation’ and deactivate the plugin. After activating the plugin again, all data will be reset. The data is stored in a few options, not in a table. The OTP data is generated when needed.
Can you sent me the url where your ‘Log Out’ link is pointing to (without nonce) ?
Did you change ‘/wp-login.php?action=*&_wpnonce=*’ into ‘/wp/wp-login.php?action=*&_wpnonce=*’ too?
I checked the box and deactivated. And reactivated, now everything is going fine.
I think I used to mis-configure settings. So right now it doesn’t give any error when click logout.
Is there anyway to make short otp passwords ? For ex, something shorter than LAY GURU DUNK JOCK SKEW COAL. Users won’t like spaces and length. 7-8 characters may be great. I tried but couldn’t generate.
Best of all from the capital city of Turkey, Ankara.
Nice that it works now!
I cannot change the length of the passwords without violating RFC 2289. Besides that deviating from security standards is never a good plan.
Try resetting ‘Do not protect’ to the default values (use the link below it) using version 2.8.6 of the plugin.
Dear Marcel,
Is there a way to make shorter hex or word values, means can I make Pass-phrase shorter ?
This question has been answered already, see comment above.
Ups sorry.
Thanks for attention
[...] WordPress Plugin: One-Time Password [...]
hi, i wanted to use this password protection for a specific page, not in all page, is it possible by this plug-ins?
The One-Time Password plugin is meant to protect your weblog. I don’t see why it could be useful to protect a specific page. Maybe you can elaborate on what you are trying to accomplish.
in our web site, we wanted to have a page which is password protected and only invited user can see the page. so I wanted to use one time password to view that page.
Maybe I will realize this feature in the future, but it is not very high on the priority list.
Hello
I feel really funny about this ….
I installed your plugin, sent to settings and did everything and then pressed Generate.
But … where is the list of passwords supposed to go? Where am I supposed to pick it up, because there’s no list on the same page (ie settings page where I supposedly generated them).
Am I supposed to go to another page to pick up the list? (scratching head)
Thanks in advance.
The One-Time Password list should appear at the top of the same page, but the page is positioned in such a way that the Print button below the list is visible. Maybe your password was too short, look for error messages near the generate button. If you still have trouble sent me a screen shot and I will try to help you further.
[...] Lücke schließt unter anderem das Modul “One-Time-Passwort” von Marcel Bokhorst (http://blog.bokhorst.biz/2200/computers-en-internet/wordpress-plugin-one-time-password/). Die Installation ist denkbar einfach. Die deutsche Übersetzung habe ich dem Projekt [...]
Hello there,
i always got 404 Error on Logon Screen. I use WP 2.8.2 DE Edtion from
here: http://wordpress-deutschland.org/download/
i have no idea why.
If you need german localization please contact me.
regards
Heiko
I guess the just released version 1.2 will fix your problem as well, please let me know.
A German translation would be very welcome! A Dutch .po file is included in the distribution.
Hi there,
Version 1.2 works fine. THanks.
Heiko
Hi, nice plugin. I have a problem cuz the plug don’t show in the login page the correct message but it show “Error 404″. Specification: wordpressmu 2.8.1
The plugin wasn’t tested with WordPress MU yet. Today (even before your comment) I installed WordPress MU (for the first time) and a little fix made the plugin work
. I just released version 1.2 of the plugin with this fix. Any feedback, positive or negative, would be appreciated.
wow, now your plugins works fine to WordPressMU. Thanks ALOT
Hi,
Sorry, but your plugin doesn’t work. When I actived it I got this message :
Parse error: syntax error, unexpected ‘{‘ in /homez.42/juriblog/www/wp-content/plugins/one-time-password/otp.php on line 48
My wordpress release is the 2.8.2 one.(php 4)
If you can do smth for me…
Thanks for reporting this problem.
It appears that the used PHP One-Time Passwords class is not compatible with PHP 4. I updated the plugin to check for the PHP version and added a warning to the description of the plugin (version 1.1).
I am sorry that I cannot solve this problem for you
Hi again,
Now your plugin (release 1.2) is OK for me. I rewrited my .htaccess file to use PHP 5.0.10 instead of 4.4.9 – Thanks for your work.
Now I’m going to learn how to use it.
[...] Usage instructions can be found under Other Notes and the support page can be found here. [...]
the plugi nsounds great, gonna give it a try right now. but I am not 100% how it works. will I have to rememebr all those 1time passwords on the lsit and just use one whenever I need one?
The intention is to print the generate password list (look for the print button below the displayed list) and to use the password with the sequence shown in the login screen. See also the usage instructions in Other Notes.
thx. I totally missed out the other notes section. all clear now
I have improved the description of the plugin now.