And Now for Something Really Secure … One-Time Password Plugin for WordPress

The One-Time Password plugin for WordPress is probably overkill for most of us, but if you regularly need to login to WordPress from computers that you don’t control, this would certainly add an additional layer of security.

BTProx – Use Your Bluetooth-Enabled Phone to Automatically Lock Your Windows PC

BTProx is an open source application for Windows that will automatically lock your Windows Desktop if your bluetooth-enabled cellphone is no longer nearby,

It locks on one of your Bluetooth devices which are paired to the the machine. When you walk away from the computer the device is disconnected and the computer is locked after timeout. It is possible to run a single application together with the lock. This application may be your favorite script dismounting network drives, erasing those dirty files from the desktop or anything else. The program sits in Windows tray showing its current status with tray icon and tooltip baloons.

That is an awesome idea. Hopefully someone will come up with something like this for OSX and Linux as well.

Update: BlueProximity for Linux accomplishes the same thing in Linux.

KeePass

A couple years ago I downloaded and tried the open source password manager KeePass, but ultimately passed on it in favor of RoboForm. The other day I decided to give it a second look since I needed something that was cross-platform.

After tinkering around with it for a few minutes I was sold. I can’t remember why I didn’t like it a couple years ago, but whatever it was they’ve certainly fixed it several times over.

What I especially like about KeePass is the cross platform nature of it. I’ve got it running on my Windows and Ubuntu PCs as well as my Blackberry. For the moment, I update my database on my home server and then upload it to an obscure directory on my dedicated web server. Then its just a matter of installing KeePass on any computer I want to use at downloading the database.

KeePass does a nice job of autotyping. Just put the cursor in the username field, press CTRL-ALT-A and it will find the correct password for the site in the database and fill in the username and password fields.

Someone has written a nice plugin for KeePass 2.x, which is still in Alpha, that will synchronize the database over the Internet (though its unclear if this will work with vanilla FTP/SFTP).

Blizzard Announces a Physical Token for World of Warcraft Account Authentication

Theft of World of Warcraft accounts is a huge problem. The perception is that gold farmers are finding it much more lucrative to simply hack people’s accounts by tricking them into to installing keyloggers rather than actually use in-game bots to farm resources. There is an entire class of trojans now aimed largely at WoW players.

So Blizzard recently announced a forthcoming Authenticator product which looks to be a rebranded RSA SecurID. The device will costs $6.50 and asks the user to link the serial number of the device to the WoW account. From then on, when you want to log in you enter your username and password, then press a button on the Authenticator which generates a number that has to be entered as well. The number is essentially a rolling one time pad, and that specific number is only good for 30-60 seconds. So someone who manages to grab all three pieces of data has a very small window in which to gain access to your account.

As some have noted on WoW-related sites, this sort of scheme is still vulnerable to man-in-the-middle attacks. Think of this being used to authenticate login to a bank website. I put my server in between you and the bank. You think your data is going to the bank, but its really going to my server, then I’m passing it on to the bank, and then passing the bank’s response on to you. You never even know you’ve been hacked until I log in with your password and ID later and clean out everything.

Assuming that the Authenticator is ever owned by a large percentage of users — and I’m skeptical it will be — it will be interesting to see if the hackers turn to man-in-the-middle style attacks or simply turn their attention to an easier target.