Generate One Time Passwords For Your WordPress Blog – Prevent Keylogging Attacks On Public Computers

Imagine this – you are working from a public computer and need to login to your WordPress blog for urgent reasons. You don’t trust the public computer on the internet parlor because there are chances that the system administrator has installed a keylogger program for tracking keystrokes, user names and passwods.

You may use the on screen keyboard or browser extensions to bypass keyloggers but it’s always a risky affair. You just can’t trust a computer which you don’t own!

There are third party websites like KYPS, which lets you create one time password codes for your email account, social profiles and for your own website. But if you are really serious about securing your WordPress blog from getting hacked by keylogger programs, here is a WordPress plugin which will be immensely useful.

Generate One Time passwords For Your WordPress Blog

One Time password is a brilliant WordPress plugin which lets you create self destructing passwords for your WordPress blog. The alternative passwords generated will work only for a single browsing session, so if anyone else is able to track your WordPress blog’s password using malicious scripts, keyloggers or any other spy surveillance system – the password doesn’t works for the second time.

After you have installed the plugin, login to your WordPress administration area and hit the link “One time password should be generated”

Generate One time passwords for WordPress blogIn the plugin option page, enter a pass phrase which will be used to generate the one time password list. You have to copy the value of the “seed” field and use it as a passphrase.

Note: This plugin requires at least PHP 5.0.0 and WordPress 2.8.

Very Important

1. The characters in the “Seed” are not your password. The seed is used to generate the password list using the MD5 hash algorithm.
2. Be sure to select the checkbox “pass phrase is a one time password” and choose “md5″ as the hashing algorithm.

The following screen shot shows all the details for generating safe passwords for your WordPress blog, which self destructs itself after the used browsing session.

Protect WordPress blog password from keyloggers

Hit “Generate” and the plugin will generate a list of one time self destructing passwords (50 in total) for your WordPress blog. The entire table will be in HTML format, so you can simply select the entire table and paste it in a word document to store these passwords for future use.

Secure Your WordPress blog passwords

Using the One Time Passwords From A Suspicious Computer

When you are on the shared computer and want to login to your WordPress blog, simply use any of the auto generated one time passwords, which you have created earlier.

When you open the wp-login.php page of your WordPress blog, you will see a hint – pointing you to the serial number of the one time password, generated earlier.

You can always use your main password for logging in, this plugin saves the day when you are working from an internet parlour, cyber cafe’s or from a shared computer which you just can’t trust.

Where Should I Store The Password List ?

You should store these passwords in a place which is easily accessible only to you, offline preferred.

Do not store these passwords as a document in your Google Docs account, email account or in any online profile or social networking website.

Why ? Because when you need these passwords, you will have to sign in to your Google Docs account from the same public computer, which defeats the entire purpose of using one time passwords.

A good idea would be to upload a screenshot of the password list to an image hosting website like Flickr and make the visibility as “Private”. (Remember to note the URL)

What Happens To The Password Once I am In ?

When you have successfully logged in to your WordPress blog, the password is immediately destroyed and deleted from your site’s database. The next time you want to use a one time password, you have to use another one from that generated password list, refer to the correct sequence number.

How Do I remember that long password?

You don’t have to remember any of them.

Since every auto generated password of your WordPress blog’s account comes with a unique sequence number, you can simply refer to that sequence number in the password list which was generated earlier. If you want to remember every password on head and do not trust any password manager, extensions etc – read our earlier guide on remembering difficult and complex passswords.

How Do I Remove the passwords When I am Done with them ?

Login to your WordPress blog and deactivate the plugin. For complete assurance, you should also Empty / Drop the tables created by the plugin from phpmyadmin of your site’s cpanel. Be extremely careful before dropping the tables, take a complete database backup first.

I can’t Login to My Site. Help me !

You should be able to login to your site using your original password set with your blog’s account. Try logging in with that

If nothing works (though it should not be), open an FTP client and login to your site’s file server. Navigate to wp-content/plugins/ and delete OneTimepassword plugin directory. As a result, the plugin gets deactivated and everything gets reverted to it’s previous state.

Further reading:

1. Protect your WordPress wp-admin directory with HTACCESS
2. Check your WordPress blog’s email address against Gawker’s hacked email list

The one-time password system conforms to RFC 2289 of the Internet Engineering Task Force (IETF).

Disclaimer: The article discusses in detail all the aspects of using the plugin, we have tested it and confirm that it works as described in the plugin author’s website. But be very careful before implementing the techniques and proceed only when you know what you are doing. We cannot be held responsible for any loss occurred as a result of your behavior.


Amit Banerjee is the founding editor and owner of Ampercent. He is a die hard technology enthusiast and writes about all things technology, How to guides, tutorials and search engines. Follow him on Twitter, read his personal blog or drop him an email.