Plugin Directory

OTP and Passwords for Google Authenticator, McAfee, DS3 ...

Easy secure login, use password or OTP as you need. Works with Smart Crib dongles and free apps: Google Authenticator, Pledge, DS3 OATH, AuthWay Token


  • Initial release - testes with Password S-CRIB and Google Authenticator, supports HOTP OATH wit lengths of 6, 7, and 8. Secrets are stored encrypted with a unique key and AES256. Secrets can be entered as hex strings or scanned from QR codes.


  • Fixing a typo in a string formatting and the maximum length of the OTP secret (now it is indeed 64 bytes).
  • Showing the secret encoded in the QR code so that it can be typed to a mobile phone app - base32 and hex formats.
  • User ID in the QR code now shows login name and URL of the blog.


  • Removing the length of OTP codes - this is now computed automatically from the first OTP code.
  • Adding a couple of cryptographic keys for future security monitoring.
  • Extending database for new token types - TOTP and MOTP.
  • Fixing a bug where the version is not correctly stored in the WP options.


  • No actual changes to the code.


  • The internet is indeed a toxic place. The timeout policy did not work as it locked-out accounts far too often. A new policy has been implemented:
  • When a password is shorter than 7 characters or on the list of weak passwords (weak_passwords.txt), user has to enter it twice.
  • When there have been at least 5 (for 6 digit OTP) or 10 (7 & 8 digit OTP) unsuccessful login attempts, users have to enter additional OTP code.


  • When entering an additional OTP code, it would accepted even when the PIN is missing.


  • Simplifying the administration form.
  • Update of weak passwords.
  • Introducing TOTP.
  • Enforcing the minimum length of the secret to 80 bits (common is 160 bits, but Google uses 80 bits only).
  • Window (the number of acceptable values around expected time <-D,+D> / counter <0,D>) is set to D=2 for OTP long 6 digits and D=4 for OTP long 8 digits.
  • We attempt to identify the size of the time window for TOTP from values 30 seconds, 60 seconds, and 90 seconds.
  • If OTP is left empty (in the administration form), only PIN and counter are updated.
  • Fixing bug and enabling editing of the counter for HOTP.


  • Updating database queries to get rid of PHP warnings.
  • Update of screen shots.


  • Renaming to makes sense as the password policy has been changed.
  • A bit of code cleaning.


  • Improvement of logging to troubleshoot install / update problems.
  • Adding contact / support information in the plugin's settings page.
  • Fixing a bug for plugin update (previously not called without activation).
  • Various code cleaning.


  • Added software RNG generator to resolve problems with PRNGs provided by operating systems.
  • Added a new module for SHA256 computation.
  • The plugin tries to send installation logs to our server for future support requests.
  • Experimental push of encryption keys to plugin instances - test for new future services.


  • Got rid of "1 unexpected character read" warning.
  • Fixed issues with RNG, when no hardware random generator is not available.
  • Improved use of RNG in Windows.
  • Thank you all for feedback with problems!

Requires: 3.0 or higher
Compatible up to: 3.9.0
Last Updated: 2014-5-12
Active Installs: 40+


4.3 out of 5 stars


Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

100,1,1 100,1,1