
Show HN: Print a WiFi Login Card - bndw
https://wifi.dev.bdw.to
======
graton
I just did this the other day using the newest version (6.4.4) of LibreOffice
Writer. It has a QR Code generator built in.

As mentioned by someone else it uses the form of:

    
    
      WIFI:T:WPA;S:{ssid};P:{password};;
    

Wikipedia has information on this
[https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...](https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91Fi_network)

Section of the Wikipedia article:

 _Joining a Wi‑Fi network_

By specifying the SSID, encryption type, password/passphrase, and if the SSID
is hidden or not, mobile device users can quickly scan and join networks
without having to manually enter the data. Note that this technique is valid
for specifying only static SSID passwords (i.e. PSK); dynamic user credentials
(i.e. Enterprise/802.1x) cannot be encoded in this manner.

The format of the encoded string is:

    
    
      WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;H:<true|false|>;
    

Order of fields does not matter. Special characters """ (quotation mark), ";"
(semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped
with a backslash ("\") as in MECARD encoding. For example, if an SSID were
"foo;bar\baz", with quotation marks part of the literal SSID name itself, this
would be encoded as: WIFI:S:\"foo\;bar\\\baz\";;

As of January 2018, iPhones have this feature built into the camera app under
iOS 11.x. Android users may have the feature built into one of the device's
stock apps (e.g. Samsung Galaxy S8/S8+/Note8 users can launch the stock
browser, tap the browser's 3-dot menu, then choose "Scan QR code") or can
install one of several available free apps such as "Barcode Scanner" or "QR
Droid" to perform the QR Wi-Fi join.

~~~
ShamelessC
Typical Samsung, putting the feature inside their stock browser (which I've
disabled) instead of the camera where it makes sense.

~~~
HenryBemis
I don't want the camera to "think", I want it just to take photos. Otherwise
someone can spread small stickers with QR commands/URLs and your phone is
trying to connect to www.sex-pills-malware.com/download-nasty-file.html

XKCD's bobby tables comes to mind. Sanitize your inputs. If you point & click
and you immediately process what your camera sees, there is great risk in
that.

I want a photo to be a photo. If I want to scan a QR code for the purpose of
scanning a QR code, I use some special app (and Ι block it's Wifi/3G
connectivity to enusre the QR app will not leak what Ι just photographed).

Edit: I follow the Steve Gibson school of thought. I want the "thing" to do
the "thing", and nothing but the "thing". Camera should do camera-ing (adjust
camera-related-attributes). QR app should do QR-app-things (show me in clear
text the QR code and ask me what do I want to do with it)(register WiFi, visit
a website, etc).

~~~
alias_neo
Without trying to be funny, perhaps you should use a camera then and not a
phone, to take photos? You're already in the realm of your device doing many
more things than "the thing".

As for scanning automatically, no camera app based scanner I have witnessed
performs any action in response to finding a QR without user input. Of course
this could still happen accidently or by the QRs content finding some
vulnerability.

At the end of the day, I think QR scanning in the camera is the obvious
solution to non-hacker-news-browsing-people, and to make it go mainstream it
needs to be accessible.

In spite of the above, I still agree with you, and use a barcode scanner from
f-droid myself.

------
chrismorgan
Per [https://github.com/bndw/wifi-
card/blob/5d7fbbda1e8eac5802c8d...](https://github.com/bndw/wifi-
card/blob/5d7fbbda1e8eac5802c8d7b4a9644e8f37a4e041/src/components/Card.js#L22),
the QR code text is of this form:

    
    
      WIFI:T:WPA;S:{ssid};P:{password};;
    

[https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-
fi-n...](https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-network-
config-android-ios-11) seems to be where this format came from. (That page
describes various other forms of QR codes too.)

bndw: looks like some characters need escaping: backslash, semicolon, comma
and colon. Maybe more too, given the treatment of double quotes in that last
link (I’ve filed
[https://github.com/zxing/zxing/issues/1292](https://github.com/zxing/zxing/issues/1292)
about that inconsistency).

~~~
brujoand
Ah I just read through the code to figure this out, because I wanted to know
what other formats exist. Should’ve checked the comments first. Thanks :)

------
chrismorgan
Another fun bug report: I entered _lots_ of input, and the page suddenly went
blank. In the console:

    
    
      Error: code length overflow. (28252>23648)
    

So yeah, seems like all you have to do is paste 24KB of data in and it blows
up. :)

I see this failure mode in React apps a _lot_ , where a bug causes an
exception to be thrown, and the page just vanishes in a puff of smoke, as
though it never was.

Half the time I’ve seen this failure mode it’s also been combined with
_persisting the bad value_ , so that the site is permanently broken until you
can unpersist the value (e.g. clear localStorage or IndexedDB or cookie; but
if the bad value is stored on a server you’re truly stuck).

The impression I’ve taken away is that it’s entirely unacceptable for a React
component to throw an exception, because it will immediately destroy
_everything_. Wonder how common such failures actually are, and whether
there’s anything React itself could do about it (my guess is not).

~~~
bndw
Thanks, fixed. TIL ssids have a max char count of 32:

[https://serverfault.com/questions/45439/what-is-the-
maximum-...](https://serverfault.com/questions/45439/what-is-the-maximum-
length-of-a-wifi-access-points-ssid)

~~~
chrismorgan
FYI, maxlength is actually not enough to protect against people like me that
are determined to break things for fun: Firefox 77 starts letting you exceed
maxlength if pasting text in, to protect against accidental truncation. See
[https://www.fxsitecompat.dev/en-CA/docs/2020/text-
exceeding-...](https://www.fxsitecompat.dev/en-CA/docs/2020/text-exceeding-
maxlength-will-no-longer-be-truncated-when-pasted-into-input-or-textarea/).

You may say it’s a fairly contrived failure, but it’s easily possible, and
plausible if the user _thinks_ they copied the password onto the clipboard,
but actually those paragraphs of text they copied earlier are still on the
clipboard. That sort of thing happens to people that use the clipboard (e.g.
me) not uncommonly.

~~~
bndw
All good. This was a random weekend hack project meant to solve a specific,
personal need. Figured I'd share it out in case others were interested.

I'm glad it's sparked your curiosity but I hope you'll understand the intent.
I'd be happy to accept PR's if you'd like to contribute!

------
CapriciousCptl
Neat. You can find more supported QR codes for iOS here--
[https://developer.apple.com/videos/play/tech-
talks/206/](https://developer.apple.com/videos/play/tech-talks/206/) (I
couldn't find docs but you can skip around the video, starts at 1:11).

~~~
Flimm
Nice! I didn't realise that iOS supports QR codes out of the box now.

~~~
wise_young_man
They added support built into the camera app starting with iOS 11 (released in
2018).

[https://9to5mac.com/2018/05/16/how-to-qr-codes-
ios-11-iphone...](https://9to5mac.com/2018/05/16/how-to-qr-codes-
ios-11-iphone/)

------
pathseeker
Woah, do not get into the habit of putting your wifi network password into a
website if you care about security. This particular site might or might not
collect it now but it's a terrible habit to put your sensitive data into
another site.

Imagine if this was a web-based password strength meter.

~~~
tialaramex
In WPA2 and earlier it makes sense to have a WiFi password even if it isn't
secret from anyone.

Without a WiFi password these versions communicate in plaintext, so a passive
adversary can snoop everything, choosing a password switches on encryption and
thus protects against passive eavesdroppers.

Only in WPA3 do networks with no password get encryption to protect you from
passive eavesdroppers.

Obviously an active MitM can work regardless, but that's trickier to attempt
and unavoidably subject to detection.

If you "care about security" in the sense of not wanting random people to
connect then you should not use "Personal mode" which is garbage in all
versions of WPA because it relies on a shared human memorable password and
(say it after me) human memorable passwords are garbage.

Use whichever of the terrible 802.1x alternatives best fits your scenario, as
these authenticate specific users rather than relying on a single shared
password. You can federate to allow large groups of people with something in
common to all use all the networks in the federation. For students (and
academic staff) most tertiary education sites in the world now offer Eduroam
for example.

Or, give it all up as a bad job, and (with the caveat at the top about
preventing passive eavesdropping) just stop trying to fence off your network
and accept that it's the Internet and you'll need a BeyondCorp / Zero Trust
security model.

~~~
h4waii
WPA doesn't rely on a "human memorable password". You can generate a random 63
character string to use.

The point of QR for this is to be able to actually share that high entropy 63
character string so you don't have to use a "human memorable password".

~~~
tialaramex
Fair point. Thanks.

------
wiml
An idea that's been kicking around in my head is a widget with an e-ink
display for hackerspaces, cafés, and other multi-user spaces that displays the
a password-of-the-day along with a qrcode for easy login. Heck, include an NFC
chip that hands out application/vnd.wfa.wsc objects as well.

I'm not sure how useful it would be beyond the cool factor, of course … the
cafés in my area don't seem to change their wifi passwords often at all, so I
assume they're not very concerned about leeching. The typical practice of
printing it on a receipt or writing it on the board next to the soup-of-the-
day is probably hard to beat.

~~~
bronco21016
Typically you’d just use a captive portal with sessions that time out. That’s
sufficient to keep away all but the most determined leechers.

~~~
pathseeker
Unfortunately they are really annoying to use.

~~~
dvtrn
What have been your frustrations with them? I’ve found them dead easy to setup
and implement

~~~
joe5150
they are annoying _for users_. they are the reason sites like NeverSSL exist,
for instance.

------
seesawtron
Can someone give a short explaination as to how it works in the backend? The
QR code contains username and password. But how does my phone's QR scanner
know that its an SSID/pw and eventually connects to the network?

~~~
macintux
See this comment:
[https://news.ycombinator.com/item?id=23371188](https://news.ycombinator.com/item?id=23371188)

Presumably the camera app recognizes “WIFI:” as a protocol string and passes
the details along to the system settings.

~~~
seesawtron
Yes I saw, that is what the QR code contains (username and password of the
WIFI). But I do not understand what my phone does when it sees that. There are
tons of dubmbed-down articles on "how-to" instructions but none explaining the
backend stuff happening on my phone's side.

Also found qifi.org that does a similar thing.

~~~
daveevad
it sounds to me like it's a custom url scheme built into ios.

[https://developer.apple.com/documentation/uikit/inter-
proces...](https://developer.apple.com/documentation/uikit/inter-
process_communication/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app)

~~~
kevin_thibedeau
It's vCard, not URL.

------
lucb1e
I like the interface and that it doesn't need a server to generate the QR
image, but it doesn't work for my network ¯\\_(ツ)_/¯

Edit: perhaps I should clarify that that's my network's name. In the qr code
reader it shows up as ¯_(ツ)_/¯ and it's stored in wpa_supplicant.conf as
c2af5f28e38384295f2fc2af (indeed missing the backslash).

~~~
chrismorgan
Hah, I noticed the lack of escaping when skimming the code (see my
comment—workaround until fixed will be for you to double the backslash
yourself) but didn’t expect it to actually _affect_ anyone. Don’t think I’ve
never seen a backslash, semicolon, comma or colon in an SSID. Or non-ASCII!

~~~
lucb1e
Since finding out SSIDs are not limited to 7-bit ASCII or something, my
networks have never been the same.

~~~
chrismorgan
Hmm, but it looks like under WPA-Personal keys _are_ still limited to
printable ASCII?

~~~
lucb1e
Those you actually have to enter, though, so I never set those to anything
that wouldn't be available on a standard keyboard.

------
toomuchtodo
Lovely! Is it possible to inject SSID and passphrase parameters as env vars
into the Docker container and have a png or pdf render without the web
interface?

Edit: Thank you to those who replied!

~~~
jasonjayr
qrencode is in debian/ubuntu
([https://fukuchi.org/works/qrencode/](https://fukuchi.org/works/qrencode/))

    
    
        qrencode -t ansiutf8 'WIFI:T:WPA;S:{ssid};P:{password};;'
    

No docker required ...

~~~
toomuchtodo
I’m on a Mac, so I would need Docker if the tool wasn’t built for Mac (only
Linux).

~~~
dewey
No, you can just install it via Homebrew.

brew install qrencode

~~~
toomuchtodo
Good to know! Thank you!

------
canada_dry
Combine this with a small/cheap e-paper display and dd-wrt on your wifi router
and you have the tools for auto generating and displaying a new daily guest
password.

Be a decent solution for a business that wants to offer guest wifi with a
little less risk of abuse.

~~~
quickthrower2
Or for free: use that old smart phone in your drawer.

~~~
derN3rd
But that would cost you battery all the time, while the e paper would just
need power to update the qr code

~~~
quickthrower2
Good point. Dig out that old kindle!

------
jedberg
I made one of these before a party and put it up by the door for the guest
wifi. It was great because I didn't have to tell anyone the wifi password
during the party!

------
tzs
This should be a feature of password managers, or at least password managers
that have a separate item type for wireless networks.

Someone suggested it on the 1Password forums [1] and one of their employees
said it it was a great idea and would pass it to the development team, but
that was in September, 2017, so apparently it didn't go anywhere.

About 18 months ago, someone suggested it on /r/1password [2], and again
someone from 1Password liked it and said they would pass it on to the devs.

[1]
[https://discussions.agilebits.com/discussion/82070/feature-r...](https://discussions.agilebits.com/discussion/82070/feature-
request-wifi-qr-code-display)

[2]
[https://www.reddit.com/r/1Password/comments/a1udg2/feature_r...](https://www.reddit.com/r/1Password/comments/a1udg2/feature_request_wifi_qr_codes/)

~~~
rhinoceraptor
I've created an iOS Shortcut to do this:

[https://routinehub.co/shortcut/5451](https://routinehub.co/shortcut/5451)

------
encom
I've tried to use these before, but since my SSID is [the poop emoji] (which
i've just learned is verboten on HN) and the password is 64 characters of hex,
I've never gotten it to work, and have exposed bugs in lots of shitty wifi
hardware and software. 64 char hex is what a regular 8-63 char password is
hashed to for encryption. Specifying it directly as 64 char hex is in spec,
and should be supported in software or hardware that's made properly.

Emoji SSID just kind of works in most cases, because an encoding was never
specified for that string, afaik.

TL;DR: I shoot myself in the foot for entertainment.

~~~
shakna
According to the 2012 spec, the SSID _can_ have an encoding. It can optionally
be either the previous byte buffer without any real limitation to it, or UTF-8
encoding.

So as hex, you would need to try both of these for your ssid: U+1F4A9 or F0 9F
92 A9

Unfortunately, encoding to UTF-8 and setting a BOM won't guarantee this will
work for you, because most QR decoders actually use heuristics to guess the
encoding of the text.

You can make it behave a little better by setting ECI (to specify the
encoding) when creating your QR code, but even though that was introduced in
2000, most QR decoders don't have ECI implemented.

Your best bet is to try UTF-8 encoding of the emoji first, and then fallback
to the unicode representation.

------
srhngpr
Recently came across a QR Coder [1] that can generate for a variety of
different purposes, including Wifi (e.g., Bookmarks, Email, Contact,
GeoLocation, SMS, URL link, etc.) - the same website also has a
encoder/decoder and an API [2], but I've not tried those features.

[1]
[http://niftypdf.com/Barcoder/QRCoder](http://niftypdf.com/Barcoder/QRCoder)
[2] [http://niftypdf.com/Barcoder/API](http://niftypdf.com/Barcoder/API)

------
groundpepper
This is incredibly useful, I didn't know our phones had this feature.

------
dheera
Might be a dumb question but how do you scan a QR code like this on Android
without a 3rd party app? The only way I've ever known to scan QR codes is by
scanning from within WeChat.

~~~
Aachen
For OS versions without built in scanner, or where the scanner is some garbage
from your hardware vendor, there's an open source scanner both on f-droid and
on the google play store if that has your fancy. I've been using it forever
and so far it supported everything I threw at it.

[https://f-droid.org/app/com.google.zxing.client.android](https://f-droid.org/app/com.google.zxing.client.android)

------
thephyber
Neat. I investigated doing something like this a few weeks ago, but it turned
out there's a site that has a variety of QR code tools:

[https://www.qr-code-generator.com/](https://www.qr-code-generator.com/)

(not trying to advertise the site, just saying it wasn't worth my time to
reinvent something)

------
Flimm
Do all Android and iOS devices support this feature?

~~~
ken
iOS since 11.0 (2017, >98% of iOS users today):
[https://en.wikipedia.org/wiki/IOS_11#Other_changes](https://en.wikipedia.org/wiki/IOS_11#Other_changes)

------
hikari_techlab
This is convenient and easy to use. It would be nice to be able to print
multiple access points with one print.

------
castratikron
Maybe someone will sell wifi routers with cute little LCD screens in them that
show this QR code?

------
paddlesteamer
I like how it ignores WEP. Don't use WEP.

------
djronin47
Looks pretty useful.

