

Show HN: Log in to WordPress via QR code (fully functional plugin available) - jackreichert
http://www.jackreichert.com/2012/01/22/no-more-passwords-log-into-wordpress-using-a-qr-code/

======
jackreichert
Would love you input whether I left any security holes.

Username/password are never passed back and forth, only the unique hash.

Hash is removed from the database once it’s used, old hashes that haven’t been
used can’t be unless the database is hacked, but then you have bigger issues.

All database queries of the hash have been escaped to prevent XSS attacks.

------
sc00ter
Google did this recently (HN discussion here:
<http://news.ycombinator.com/item?id=3469692>) but since ended the
"experiment".

------
sjs382
I like this, but i wonder if there's a way to tie this to a
Google/Facebook/Twitter account? I'm much more likely to already be logged
into one of those devices on my phone...

~~~
freshhawk
Sure. You could have QR code point to a URL on your server that started the
oauth login process and had the one time hash value passed as a parameter.
That hash value would be put in the callback URL for the oauth process. Once
you complete your normal oauth login your server takes the one time hash value
and does the same update the db trick done here.

Aside: God, imagine if browser vendors had put a tiny bit of effort into
password management or even just the UI around http auth back at the
beginning. All sites could use http auth or whatever superceded it instead of
their own login forms and this problem would seem just as stupid as it
actually is.

~~~
jackreichert
Love the idea. Will implement in next version.

------
drumdance
Is it just me, but are QR codes a solution in search of a problem? I see them
everywhere, but I've never seen a single person use one.

~~~
freshhawk
I don't use them often but if I'm walking around and someone wants me to open
a url on my phone for any reason (billboard, ad, store, restaurant, anything
in print) then it better be _really_ short or have the QR code right there for
me to even think of bothering.

Still that means I probably use one maybe twice a month, but I would use them
more if they were more widespread.

I expect most people are the same, no one types long URLs into their phones
while reading them off a newspaper or billboard or store window do they?

~~~
jackreichert
I agree. I don't use them much. But they are a very useful way to share
information easily. When I was in between business cards I created a qr code
of a vcard of my contact info and saved it as the image for my lock screen.

I had an instant conversation topic with me at all times and people seemed to
appreciate the creative use as well.

~~~
freshhawk
Thats a great idea. I'm going to do that for my lock screen.

