Hacker News new | past | comments | ask | show | jobs | submit login
Encoding your WiFi access point password into a QR code (cloud.geek.nz)
685 points by edward on Dec 29, 2019 | hide | past | favorite | 227 comments

Most ISP put this kind of QR code on the provided "modem" in France with the default Wifi password of the device.

I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.

It's a fantastic way to transition from paper to bits.

Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.

Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.

It's definitely not a solved problem.

Are you not concerned that QR code’s are just completely opaque URLs asking to be clicked? Do you confidently click on URLs in spam emails? Of course not since we all know URLs can point to malicious payloads. So why should we love QR code’s that could just as easily do the same.

If I’m a spammer trying to get people to click on my bogus links in my email messages, why wouldn’t I also print those same URLs as QR codes and paste them around my city with creatively enticing titles.

Do you never click URLs in emails? Of course you do, when you're confident the sender is reputable.

Parent was referencing trusted contexts: the default password printed on your wifi router, the bill a cashier just handed you for what you just bought, the legal papers you just signed, etc. The QR code just links the trusted document with trustworthy digital versions & extended content.

I'm not worried a spammer is going to get a bogus QR printed on the grocery store receipt I just received. I'm not going to scan QR codes printed & posted on subway walls for no apparent reason.

I can't imagine a qr code on a receipt being anything but tracker-infested spam.

That's how it currently is in some shops. Amazing how marketers are always ahead on such technologies.

Can confirm.

I was visiting a nature reserve where the trail opened to a resting area with some seats. A tree had a woodcut QR code on it, so I thought I'd scan it to find out more about the area.

Turns out, the QR code linked to some tracking site with a short URL. Even worse, the short URL had since been deleted, so I have no way to know the original URL it went to.

Yep, it'll definitely have a tracking code added to the URL.

> Do you never click URLs in emails? Of course you do, when you're confident the sender is reputable.

Nope. I go to the sender's URL manually and look for what it is they sent an email about.

You’re the exception that proves the rule


Don't most people within the HN demographic mouse over to see the link in emails?

For comparison, my phone shows me the URL that the QR code decoded to, and prompts me to confirm that I want to browse to it

Remember bitly, AMP, CDNs?

Also, as to something like a javascript exploit in a URL itself, QRs can hold a surprising amount of data, enough to max out most URL browser limits around 2,048 bytes.

At least bitly lets you look before you keep. Add a + to the end of any bitly URL to see where it goes, when it was created, and how many peole clicked it.

You've described some of the scenarios that would result in me not clicking the link. The feature works well, doesn't it.

This is functionally the same as hovering over links in emails, which is the context in which I made my comment.

Ok, explain those to my mom.

Ok but if it's a bitly link then I'm still not clicking. Just like it an email includes an obviously shortened email.

Bitly is so useful though for making usable QR links

On the desktop, especially if the Email is even slightly suspicious? Always. On mobile, it's somehow a lot more difficult and user unfriendly.

hover text and/or copy and paste into browser before hitting go.

The QR scanning app that I use displays the URL so I can check if it looks okay, but most of them are abbreviated using services like bit.ly, so that doesn't help much. You'd have to have a UI that lets the user step through several redirections, but that would probably confuse people.

You're shifting responsibility from developers to the users. If reading a QR code triggers a bank transaction, that's an issue with the QR scanner and the banking application.

Users cannot check if a domain is "ok" by looking at it. You visit websites to discover what's there. A few years ago it was common knowledge that ".to" is shady and ".com" looks more legit. Now we have more TLDs than I can count. How is someone supposed to check that with visual inspection?

The way it should go: you scan a QR code. It gets interpreted into something useful that doesn't cause harm.

"Hey this QR would cause a 5€ transaction to Jon Doe. OK?" That's something the user can decide upon. payment://jon-doe:5€ doesn't help much.

(Edit: reading your post again, I realize it might be exactly what you have in mind)

I was mostly thinking about URLs in untrusted contexts, like maybe from an ad you see on the street, that you want to screen by hand against malicious intent; not so much about things like your banking app example, which should always have some kind of confirmation anyway.

It really shouldn't matter to the browser what URL you enter. Maybe it's not the page you're looking for. But opening a website itself should cause no harm.

Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.

What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...

> It really shouldn't matter to the browser what URL you enter.

In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.

Qrafter on iOS has exactly that UI, which is why I use it.

If anyone knows of an equivalent on Android (preferably available on F-Droid), I'm all ears.

I recommend “Privacy Friendly QR Scanner” (https://github.com/SecUSo/privacy-friendly-qr-scanner) by the SECUSO group, who specialize in apps that respect user privacy.

Worked great for me on my last phone, and peace of mind knowing you aren’t being tracked.

Available to download on fdroid or the play store.


SecScanQR shows you the URL and lets you decide if you want to open it or not. It's on F-Droid. https://f-droid.org/en/packages/de.t_dankworth.secscanqr/

No more than regular url written in a paper. People write them blindly anyway, they don't know what it means nor how to read it.

But QR code are not just for URL, they can contain up to 7k, which is a lot for text and numbers. And you can have several of them, use compression, etc.

Because urls have letters & words in english that I can read and determine if the website is authentic or not as opposed to QR code that no human can read?

Have you never come across phishing scams that looked eerily authentic only to be clued in by the fake url? I can read the URL before going to the website, and unless QR codes have a step where you have to manually confirm going to the url provided by the code (most don't) then that's a security risk

Qr code readers show you the url, you have push a button to navigate to it. So it's no different than having it copied manually.

Not that it matters much for most users, as I said earlier, they blindly type url. They have no idea what it is.

You could put a warning saying "are you sure, this is going to kill your mother and steal all your money" and people would click on it if it's easy to do.

Microsoft did that research. Well, they didn't propose to kill anybody's mother but the test participants used their real bank credentials and Microsoft tested different behaviours in IE to see what would deter users from giving these credentials to a bogus site having accepted a task to log in and perform some basic operation.


Nothing deterred the users. Warning dialogs were clicked past, obvious problems or mismatched information was ignored. The only way to stop users from giving their credentials to bad guys was what I call Brick Wall UX. The browser has to stubbornly refuse to let you do it. Unable to complete their task the user at last gives up.

This is a teachable moment. Your users are probably not going to be smarter, better informed or more cautious at least on average than in this test.

This sounds like something which should be continuously tested, as a litmus test as to how careful people are. I don't suppose you have a link or pointed search terms for this instance?

Because urls have letters & words in english that I can read and determine if the website is authentic

You must have some super-human ability to read a computer's mind if you can grok the kind of urls that usually come in emails like https://tinyurl.com/uvc58uq

You can see what the tinyurl redirect destination URL is (value of Location response header) without also requesting that URL. Not with a typical browser configuration, but with curl or some hosted solution delivering this functionality.

Of course, if the email actually has a unique URL per recipient, then doing this gives away the fact that you interacted with the email.

Clicking a link can't infect your computer with a virus anymore. As long as any vulnerabilities in QR scanner apps are reliably patched, it should be just as safe as clicking a link. There are zero-days, but that risk exists any time you're connected to the internet anyway.

The cost and risk of putting a sticker on a wall is much greater that that of sending a spam email. Legitimate advertisers already hire people for >$0 to do that. Illegitimate ones risk personal criminal prosecution because they have to be physically present.

plenty of scanners allow you to decode a code & show the url or whatever is encoded in it without opening the link & give you options so I wouldn't be concerned at all.

Use bit.ly it's quicker ;)

FWIW, I know iOS's camera natively detects QR codes, and I believe Android does as well.

In my opinion, the ability to use the native camera app to read a QR code significantly reduces the barriers-to-read for general users

Absolutely game changing for the technology! And very convenient too

"very convenient"...

Nowadays it seems anything that can do something FOR you usually does something TO you.

They can’t be used to encode very much data though. They wouldn’t be suitable for storing documents, but could be used to store the location of a document. I was trying to be clever once and thought I could encode X.509 certificates in QR codes. Even that much data was pushing the hard limits of what they can store, and became very hard to scan (I quickly realised this wasn’t actually very clever).

7kb for a supermarket bill is plenty, and you can have several of them.

Forms and legal documents should all have an immutable official url and uuid anyway to point to their legal and administrative context.

The largest QR code in the standard, "version 40" - can only store 3 kilobytes at the lowest level of error correction and 1.2 kilobytes at the highest level [1]. And that's a pretty huge QR code [2]

My back-of-the-envelope calculations say you'd need 61 bits per line on a receipt just to encode UPC, quantity and price. So the largest QR code would only allow 19-50 lines. And that's without including data like the store name, special offers, means of payment and so on. Believe me, plenty of people buy more than 50 items in their supermarket christmas shop :)

Standardised digital receipts would be neat but, QR codes encoding the data ain't the way to go about it.

[1] https://www.qrcode.com/en/about/version.html [2] https://commons.wikimedia.org/wiki/File:Qr-code-ver-40.svg

Seems like the obvious thing would be to have the QR code contain a "receipt ID" (UUID?) in a URL.

When the QR code is scanned, the browser opens to the URL, the remote side takes your "receipt ID", and presents you with a list of all the items you purchased.

I can't imagine any decent-sized retailer isn't already maintaining records like this.

See, one of the useful properties of a paper receipt is that, once you receive it, you can be fairly confident about the ~one way you're going to lose it

Two ways. Receipts fade, sometimes very quickly.

1.2 kilobytes = 9.6 kilobits. If you need 61 bits per line, you’ve got enough bits for 157 lines. 393 lines if we go with 3 kilobytes. I think you may have used 61 bytes per line in your calculation rather than 61 bits.

I (not OP) would say bytes would be closer. The product name could be 20 characters long (20 bytes minimum)

OP was assuming the receipt would list the product UPC code rather than product name. A UPC code is 12 digits, which can be encoded in 40 bits.

it could just contain a url linking to a page with to content.

I wish we could encode PGP public keys with them, but it's still too much data.

That would be a neat way of exchanging a key.

You can definitely encode ed25519 keys to a QR code.

How big is your pgp public key? Mine is under 4K in ascii and can definitely fit in a QR code.

If you use a crypto atm it will print out your wallet’s private and sometimes public keys as QR codes.

4K is around the point where some devices will start to have issues scanning. Also, crypto wallets won’t usually give you the private key, instead they’ll give you the 12 word BIP39 seed phrase which will be around 70-80 bytes.

Gpg key fingerprints are very small though and can be used for that.

Can X.509 ceros use elliptic curve? They’d be much smaller.

Even without the key they start to look pretty dense. You can definitely fit one in a QR code, they just start to become less reliable to scan (especially on cheap devices), and they go from looking nice to looking quite ugly. Technically most X.509 certs would have been within the limitations of QR codes (though I don’t think there is an upper bound to how large they can get), but I realized it just wasn’t fit for purpose and moved on to something else.

Are you using 8 bit encoding? An alphanumeric mode QR code containing base 64 encoded data provides less capacity. In binary mode even a 4096 bit RSA secret key fits while ECC keys produce smaller codes.

The qrencode tool has an 8 bit mode but not all decoders can handle binary data. For example, my phone shows me mangled results and I can't redirect them to a file. Like structured append, it doesn't seem to have much support.

I've sent patches to ZBar improving this:


Hopefully it will make QR codes more useful for storing keys and other small files.

i think datamatrix is more suitable for x509

Yes.. I had made a form that was scanned and all the metadata for the page was stored in datamatrix at the bottom.. With a laser printer and a good scanner you can reliably put a lot of data in there...

> Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing.

You can use that if you wish, however there is an entirely separate and dedicated QR reader built into iOS that is accessible from control center. The icon to launch it is even a QR code which eliminates such “confusion”.

Huh, I had no idea there was a dedicated QR reader "app", since it's not a default icon (you have to add it from within Settings), and there's no actual app. But it's there!

Interesting they added that when the camera app already scans QR codes. I wonder if it's an enterprise thing for devices in the field, where companies want to prevent the camera app (no photos), but need to scan codes.

Have you been to China? QR—everywhere.

QR in China are different animals.

They are not generic QR codes, but encoded instructions to access specific in-app features in WeChat/AliPay. If you scan those special codes with generic QR readers, you get invalid URLs.

IMO this makes it even worse to use generic QR codes, because if a QR code cannot be parsed by WeChat/AliPay, most Chinese users do not know what to do with it.

Yes, that's why I know it's possible.

>All legal documents and forms should have one.

The ones you download from e-government in Turkey have QR codes. I think other e-documents have QR code too. You can validate them by using https://play.google.com/store/apps/details?id=tr.gov.turkiye...

Current Android WiFi list has a dedicated QR Code button next to it, so it should become more accessible in half a year when most people are on Android 10

This data [1] from google is a bit old (from May 2019), but shows about 10% on Android 9, and maybe a third on Android 8+; to get 50%+ (the common interpretation of most) you're looking at Android 7+, and that was released three years before the stats. Maybe, if uptake of 10 is as good as 7+, we'll see most people on Android being able to use this in 2022.

[1] https://developer.android.com/about/dashboards/

Project Trebble made a huge difference, and Android 9, which is one year old, is already at 48% market share. This is so much faster than older Android upgrades before it.

Source: https://www.androidpolice.com/2019/12/18/pornhub-does-what-g...

Stats from different places are going to show different trends. Google's stats are a lot closer to all of the Android market than PornHub's. It's unfortunate that Google is slow to update. But it might be interesting to look at trends in PornHub's data, if they provide it over multiple years.

> Unfortunately most users have no idea what it is.

In the west, yes, it's absolutely prolific in Asia though. Even the most technologically illiterate people over there know and use qr codes all the time. A huge divide.

They teach kindergarten's to use QR code where I live.

firefox preview has an embedded qrcode scanner

For url only. Qrcode are for much more than url.

You either use URL or custom app to scan Qrcode. You can't encode arbitrary data and expect universal reader being able to interpret it. And URL is actually good way to store small amounts of data, because you can launch web app to handle it and it's compatible with any device.

you probably mean URI

I'm not sure it's only for urls

I really think manufacturers have really missed out on an opportunity with QR codes by handing them over to marketing. Most of the early QR codes in the US were just links to advertising. I'm not going out of my way to scan a QR code just to be advertised to.

On the other hand it could have been a great way to develop much better relationships with your customers. As a trivial example, I own a snowblower. It would be nice if there had been a QR code on the machine that identified that specific machine. I could have scanned it and immediately registered it with the manufacturer. Scanning the code could take you to a manufacturer page for your specific machine, where you could record routine maintenance like oil changes, get a copy of the manual, and order replacement parts. They could send you periodic reminders like, "it looks like it's been a while since an oil change", or "it's getting cold outside. Now's a good time to make sure everything is in shape".

There is a ton of stuff around the house that I need to record information about but have to have my own system. If the manufacturer provided a way to do that they could offer their expertise with the product and a convenient way for you to record that information. I'd love to have a QR code on the side of my HVAC system, water heater, filtration system, etc.

I painted my wifi password as a QR code on 40x40cm canvas..

Painted as in with a brush and paint, it was a bit of work, but now it's both pragmatic and pretty :)

Did something similar for my roommates recently. We have no printer in our flat, so I grabbed a piece of graph paper, redrew the QR code and taped it onto the fridge. Now our guests can simply scan the picture instead of strenuously rewriting the complicated password.

What's the problem with using a long but humanly readable password, like several concatenated words? It's not like you are trying to protect against large scale attacks.

Scanning it is easier than typing it into your phone.

Pics or it didn't happen.

I mean, it's not that hard to believe...

I think it is a joke-attempt at getting him to reveal his wifi password :)

I have hereby been whooshed, though in my defense I have a guest-only, throttled and isolated wifi network so the potential for misuse didn't occur to me.

I have exactly the same. I don't want the entire world to use it though, as it still uses my broadband connection, which contains my external IPv4 address. I guess I should tunnel it over a VPN instead.

Pretty sure only people who know where you live can use your wifi network, and only then when they are in range - not the entire world.

Network name is: WOOSH!!!

If you change the password, will you repaint the picture?

It's just a guest network...

Who cares if my neighbors or people walking by can use it?

That depends on your legal jurisdiction and its ideas about liability.

There are public places where you can get internet for free..

An it's not like I'm publicly advertising :)

Pretty sure you're somewhat responsible for your IP

So that it is visible from the street...

No, but how well do you really need to secure your guest network?

If people want anonymous WiFi for nefarious purposes they can go to a cafe.

There is a Merge Request to support QR code for hotspot created in GNOME control center: https://gitlab.gnome.org/GNOME/gnome-control-center/merge_re... Hopefully, shall be available in next release

Fun fact: TicketMaster scanners can perform admin functions via QR code, including “testing” the tone that tells the agent your ticket is valid.

Ooo, care to share any examples? For… research purposes…

that is indeed a fun fact.

Combine this with some automatism which changes the password of your guest WiFi and putting it on a cheap e-ink display.

This is interesting, however my main problem with really long Wi-Fi password are devices that have bad ways to input text. Things like media box using a remote controller or a video game console using it's controller.

WPS was born to fix this, however the specification is so broken that it is literally useless from a secure standpoint.

Also, there's no need for 63 character passwords. You can get ~128 bits of entropy with around 22 alphanumeric characters.

On some devices it may be easier to enter a long password from a restricted character set than to enter a shorter password from a richer set.

For example, I've seen TVs that allow using a numeric keypad on the remote for entering digits in text and password fields, and require use of a clumsy on-screen keyboard for entering letters or punctuation. The on-screen keyboard is navigated with the up/down/left/right/ENTER buttons on the remote, and might have multiple shift states for case and punctuation requiring navigating to and pressing a shift key whenever the password has adjacent characters that need different shift states.

On such a TV, I'd rather enter a 39 character all numeric password than a 22 character alphanumeric password. Entering 39 characters on a hardware numeric keypad is way faster and way less error prone.

if the on-screen keyboard even has all the characters needed.

when we got new internet in our previous home i was forced to change our password that everyone had already set from previous use, because the new configuration interface didn't allow spaces. so i used underscores. then family visited and they had a tablet with a keyboard that didn't have underscores.

Indeed, or dialing in 63 chars on a Nest thermostat would take about 10 minutes.

Or when you setup a new apple computer, you have to enter the wifi password without being able to see what you type, without being sure it is the right casing, and if you are not in the US without being sure you are using the right keyboard layout in the first place (the is no opportunity to type something else in a clear text box before that step).

When a friend tried to connect to a new network on their MacBook, a second friend with an iPad got a pop-up that such-and-such was attempting to connect to their network, and if they wanted to share connection details. One click and they were in.

Creepy, but convenient.

There is a very specific set of requirements that have to be met for that window to pop up

You have to be shared contacts, have Bluetooth and wireless on. There might be others that I don’t remember

Not sure if it is really that creepy - IIRC there is an encrypted advertisement over bluetooth that your contacts have the key to recognize/decrypt.

I don't buy iPhones but if Apple produces ADSL modems and splitters I am definatly going to buy.

If you choose to put a WiFi password up on a sign as a QR code, do not post it in view of a window. Passers-by should not be able to connect to your network from outside your home or office. This advice also applies to plain text passwords posted on signs.

I taped the qrcode to the top of my access point so I don't forget where it is.

And if you're using DuckDuckGo (and are not concerned about transferring your WiFi, or whatever data) you can try this query:

qr some text


I use DDG as my daily search engine and didn't know about this. I'm frequently impressed by all the "extras" that they include.

I think I'll start using this a lot!

I do this in our house and it works great. I discovered one flaw though. When I say scan the QRCode I am immediately told “i don’t knows how” Or asked “the what?” Or disapproved of with “I hate those things.”

Fun fact no one has ever actually scanned the code... ever! Maybe if I was a cafe but not for house guests.

Instead of "scan" have you tried telling people to point their phone's camera at it?

"Scan" sounds to them like some separate action that they would need to know how to do. But at least on iOS all it takes is opening the camera and pointing it at the code - you get a pop up notification asking you to join the network.

I bet people know how to point the camera at something even if they don't think they know how to scan it.

If nobody will use it, does it really work great?

Solutions that work technically but lack adoption is the default state of software engineering!

Okay so you don’t live in China then I take it

Plasma (KDE) now has a button in its network widget that does just that - show the QR code for this wifi network.

I have a picture frame in my house with a QR code for the wifi, and also an NFC badge so you can just lift your phone to it to connect.

NFC stickers cost approximately nothing, and you can program them using an app on your phone.

The ability to write your connection settings to a NFC sticker is also built right into Android.

Once I noticed Android supported QR scanning to connect to WiFi natively, I started implementing this at my hotels - I wish all businesses did the same.

Is it only Android 10 that can do this with scanning a qr code, or also v9?

I believe it's only Android 10 onwards that has the QR Code scanning feature [1][2][3] since it was added by Google in order to support the new Wi-Fi Easy Connect standard [4] (the replacement for WPS).

[1] https://9to5google.com/2019/03/13/android-q-wi-fi-sharing-qr...

[2] https://www.androidpolice.com/2019/09/12/every-new-android-1...

[3] https://www.androidpolice.com/2019/06/10/android-qs-wi-fi-ea...

[4] https://www.wi-fi.org/discover-wi-fi/wi-fi-easy-connect

This has been a thing for longer than I can remember. Many many years, it should only depend on what your QR scanner are capable of (and that will vary since most use their default camera app for scanning QR codes and most manufacturers ship their own - but by now I hope even older phones have it).

Android 10 made som more specific features for this, such as automatically generating the QR code for others and scanning QR directly from the wifi settings.

But on other versions, it depends on the 3rd party app you use for QR code scanning. From the screenshots, it seems like certain versions of Android have this available directly from the Wi-Fi password screen, without the need for a 3rd party application.

That's what I thought I said...

The 3rd party application usually is just your bundled camera app.

Are you deliberately trying to be confusing? A "bundled camera" is the exact opposite of a 3rd party app. 3rd party would mean one must install it from the playstore.

Sorry, 3rd party in the sense that it is not part of Android.

Almost every manufacturer ships their own camera app so it is hard to know what features are present given a certain Android phone.

Android 9: Camera search icon on Google assistant (long press "home" and cancel voice command) offers "join network" option for this kind of QR code

I had to install Google Lens first. When I tap join network, the reply is that I have to manually join the network. This is Android 9, and is an Android One phone (yes, still on Android 9 and not even a year old).

Update: Actually it works with the build-in Camera. Point to QR, it decodes it and shows SSID and password, there's a wifi icon button, and pressing that immediately connects.

Nice! BTW, the camera search icon is called Google Lens.

i don't see any built-in way to do it on android 9, but the xzing barcode scanner app works perfectly.


Well ZXing invented the Wifi format[1].

If, for whatever reason, you wanted to do this with older iOS you had to use a configuration profile[2]. This would be distributed as a PList that you'd link to in the QR code. Which means the device needs to be connected to a network to download it first. A captive portal could help with that, or put it on the internet maybe protected with a geofence so you're not advertising your password to the world.

[1] https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-n...

[2] https://developer.apple.com/business/documentation/Configura...

It works on Android Pie with the Binary Eye code scanner app.


Android 8.1.0 has at least support in the OS, but not in the Wi-Fi UI

I have Android 8.1.0 (LineageOS 15.1), and a generic 'barcode reader' app (https://play.google.com/store/apps/details?id=com.google.zxi...) and it works just fine.

Open the barcode scanner app, scan QR code, and it says "Requesting access to network'

The default camera app on my Moto G7 (Android 9) scans QR codes. When it detects this format inside a QR it offers a 'connect to wifi' button.

Oddly the G7 Play camera just stares dumbly at the QR.

When I use a third-party reader it shows that a password containing special characters really confuses this particular notation, since colons and semicolons are also used for field delimiters. Even if I escape them when passing the argument to qrencode, the parser app stumbles on them.

Was wondering the same. The author didn't mention the minimum required version for Android compared to IOS, so I assumed Android must have long supported it and I always just missed it.

On another note I find it quite awkward that the feature is buried in that dialog on Android. You even need to tap on the network you want to connect to when that information is already in the qr code.

> You even need to tap on the network you want to connect to when that information is already in the qr code.

On my OnePlus 6T the scan QR code button [1] is next to 'Add network' so you don't have to select the Wi-Fi network first.

[1] https://i.imgur.com/qTicNpI.png

I think they added the QR code Wifi URI in Android 6, it's been a while. It's mostly an issue with apps supporting it, and to be honest I can't believe it's still not a standard feature of the camera apps on all Android devices, like the iPhone does.

Works for me on Android 7.0 on Xiaomi Redmi Note 4X 4G Phablet since 2017 with the com.xiaomi.scanner app.

Bonus: I can also share my WiFi settings by opening a QR code on my phones display.

Very neat! However, IMHO 63 characters is a bit much for the password.

”If you use lower-case, upper-case, and digits, and if you generate it truly randomly, then a 16-character password has 95 bits of entropy. That is more than sufficient.”

Source: https://security.stackexchange.com/questions/15653/recommend...

A 63 character password with ten dictionary words is on average much easier to type than a 16 character random ASCII printable string, especially on phone keyboards.

Not on my switch or home entertainment system though.

The PS4 might be a pain (though I haven't tried the gesture typing feature), but the Switch has a touchscreen so there's no issue there.

Fuck me, you are right. I was doing everything with the joycons... Well, there goes half an hour of retyping.

But the 10 dictionary words might be less secure than 16 random characters. xkcd estimates a word has 11 bits of entropy.

Your math is off. Even if you take the 11-bit estimate (if you use something like diceware you get 13 bits), 10 words give you 110 bits. Meanwhile there are 95 ASCII printables, 16 of them give you a maximum of 105 bits, and usually people don’t use the full range (ambiguity, especially painful to type, etc.) & don’t generate a uniformly random string, which means you’re getting fewer than that. Even 95 is an optimistic estimate.

I said "might be", and someone might estimate a word to have 10 bits of entropy. And you previously said dictionary words, not random dictionary words, so a human choosing those words might choose words that relate to each other.

A friend has a ~32 character camel case phrase as his WiFi password.. just a nightmare for people to type on their phones. iOS’s “share pass with contact” helps but every once in awhile someone has to spend 10 minutes trying to get a password to work. So silly.

Your friend needs a guest wifi with “fun friends” as the password that they turn on and off as necessary.

It’s funny that friend goes to the effort of a super long password, but then lets people connect to it.

I have an NFC card that contains the connection information with the QR code and plain text credentials taped to it. Even less devices support that, but when they do you don't even have to open an app. Just tap and you're in.

Which devices support this?

Pretty much any Android device from the past 4-5 years should support connecting to WiFi via NFC (assuming the device actually supports NFC).

This can be helpful on devices which have a display device but no keyboard to help users connect during first-time setup.

Example: https://github.com/aderusha/HASwitchPlate/blob/master/Docume...

For this project, on first boot the device creates an AP, then displays a QR code containing SSID and key (along with text version of the same) that the user can connect to. Upon connection a captive portal will redirect the user to the configuration page, allowing the user to select the desired SSD and configure other essential values.

If you have a phone handy, just scan the display, accept the prompt to connect, and the next thing you see if the configuration page popping up as Apple and Android detect it as a login page.

I used this when setting up mesh WiFi for my parents, a few years ago. I set up a guest network and a main network; the guest network had a fairly-long password, and the main network had a very-long password, both WPA2-Personal.

I put together a two-page PDF, page size about 4 inches by 6 inches. One side had the info for the main network; the other side had the info for the guest network. "the info" included the SSID, the password, and a large QR code.

I then sent the PDF to FedEx, printed on card stock, double-sided, and laminated, with instructions to cut the excess paper away before laminating. The result was a nicely-put-together "quick reference" card that my parents can use for whatever needed. If my parents get a new phone, putting it on WiFi is as simple as a QR-code scan.

That's such a better solution for guests too, I've visited many friends where I had to crawl under their desk to see the SSID and password printed on the back of the router... because they haven't changed the factory settings.

For those concerned about entering your network info into an online qr tool, some time ago I attempted a minimal JS and transparent site for generating these codes (https://github.com/jamsinclair/wifiqr).

Or I suppose just use the cli tools, as mentioned, for extra safety...

Or is it extra safety to use the CLI?

Arguably it is easier to verify that a webapp is not sending the data to a 3rd party, than it is to verify that the CLI tool doesn't (easy network inspection from the developer tools).

I don't think it is that problematic to put your WiFi credentials to a random website, since the possibility of the creator is a scammer AND lives near enough to you so it can exploits that fact is really small.

However sure, having the piece of mind that this will not happen may still make it more worth it do it yourself.

It’s easier to verify the CLI tool, since it wouldn’t be available in my distribution’s repositories if it contained phone-home code.

Much CLI code is installed around the distros repos.

Its also very easy to put a webapp into offline mode

Indeed it is! But we still need to reset the web app entirely after having used it. Service worker might cache messages.

How do you do that? Private browsing + cut ethernet?

Shameless plug but I wrote https://github.com/elsesiy/qrgo which you don’t even need to install locally, check it out if you’re interested!

This is super helpful for mobile devices.

But it makes rather confusing on how to connect it on an e.g. laptop without having to scan the QR code with the mobile device first. If the password is 63-char length, typing it wouldn't be 'quick'.

There should be a laptop app which can import a QR code picture from a file. Most of the laptops also have a webcam nowadays, perhaps it could be used too.

exactly. although an iPhone can share the credentials with a macbook I think.

I can attest to the usefulness of this. I have a similar thing set up on my iPhone via the Shortcuts app and it's been quite nice to share my long password without worrying about the hassle of spelling it out. Here's the Shortcut, in case anyone wants to try it out: https://www.icloud.com/shortcuts/681b4f7b030543b79ab7de6afa3...

My (default) “shortcuts security settings do not allow untrusted shortcuts”.

Well that’s surprising and nice.

Instead of installing a package to generate a QR code, you can simply use this free Google service:


Remember to URL encode the SSID en PASSWORD if you have any characters that can't go into a URL. (Also, you have to trust Google to not store that URL anywhere)

Instead of using a Google service to generate a QR code and hope they don’t store that URL anywhere, you can simply install a package.

I'd trust a Debian package over Google's service any day.

Yes, let’s give all passwords for wifi networks to the company that notoriously maps all wifi networks they can find. What could possibly go wrong...?

This happens every time I use android to connect to a WiFi network. Google stores my info in clear text to them.

Thanks for the warning, I had no idea. Note to self: always give temporary guest passwords to Android users.

They already have all passwords... They are conveniently backed up on android devices. They have the cleartext.

(as do apple btw.)

Apple's WiFi password sharing system uses iCloud Keychain, which is end-to-end encrypted [1]

[1] https://support.apple.com/en-us/HT202303

As long as Apple can run arbitrary code on your device, protocols do not matter.

>you have to trust Google to not store that URL anywhere

You also have to trust Google to still be operating the service by the time you come to use it.

pure JS WiFi QR Code Generator


A secure random WiFi password in a QR code is great for Android and iOS, and the laptops/desktops that can sync their password database with them over Bluetooth.

But what about all those other random WiFi devices? I don’t relish the thought of entering 63 characters into my printer’s goofy interface, a games console, my car, etc...

Your car connects to WiFi? Oh boy, the security implications...

Every tesla car has a sim card and data connection that is used to connect to a vpn that high enough level engineers can use to run ssh commands directly on every tesla car at once or even target certain ones.

You know nothing john snow.

California is thankfully neutering that sort of backdoor access.

Really? Neutering it how?

Tesla already has a “Allow remote access” toggle, which defaults to OFF, that prevents you from connecting to it via the app etc.

(Whether this fully prevents Tesla connecting to it remotely, I’m not so sure...)

Wifi easyconnect is a very helpful feature that lets you connect to a wifi network by scanning a QR Code.

Create your Home wifi QR code https://modemly.com/qrcode

How do I read it then? My Android camera app only lets me copy the encoded text to the clipboard or share it with another app. What app should I use to use it to actually connect to the wireless network?

But what if you want to connect something other than a phone to your network? I have a lot of laptop's that don't run iOS or Android. I guess I'm old fashioned like that.

The Owlet baby monitor does this. When you need to connect it to WiFi you give the app the creds and then it generates a QR code. Then you hold it in front of the camera to scan.

I so wanted to use this for work, where there is a rotating password scheme, but unfortunately it doesn’t work on iOS if the hotspot has a captive portal :/

Another great barcoding library is BWIP-JS at https://github.com/metafloor/bwip-js/

You can immediately generate QR codes from it using this link: http://bwip-js.metafloor.com/demo/demo.html

I use BWIP-JS in my electron app. Love it. Super easy and reliable way to print barcodes on a label printer using nice UI: https://label.live

I have an old Kindle it would be fun to put the QR code on that.

And maybe somehow a script that rotates the password updating the Kindle.

I setup a raspberry pi with a small display showing the weather forecast, next 5 calendar events and a QR code for the WIFI using this:




Sits on the kitchen counter. Guest password is rotated and the display is auto-updated.

The raspberrypi is running MagicMirror, but I just have it outputting to a small display (7"). Looks great.

I use a Ubiquiti wifi AP and it has an API to change the guest password.

When I see it spelled wrong (like in the title of the OP here) my mind pronounces it "whiffy"


This editor supports wifi qr codes

Extra points for assembling it from Lego.

Also, NFC is awesome.

Why would I want to make it EASIER for people coming over to use my WiFi?

You're missing the point. Imagine having a really complex password - would you want to just scan a code or copy it character by character?

You don’t give your WiFi password to everyone that visits?

I think the OP is making a joke about the fact that some guests who get the wifi password, may spend all their time looking at their phones instead of socializing. That happens nowadays when one throws a party or movie night.

This should be as socially unacceptable as picking your nose at a party.

I was indeed.

These days everyone have 4G internet, so there's no point to giving your WiFi password to everyone.

I do have 4G, but at $1 per 100MB. I'd rather have the WiFi password when one's available.

Not OP, but I've a guest network.

Guest network with no password is the way, some firmware allow you to turn the reset button into this function's switch.

Before WPA3 a network with no password offers less security than a network for which everybody knows the password.

In WPA3 finally the no password ("guest") case has randomly chosen keys using RFC 8110 instead of being unencrypted, so it's equivalent security to everybody knowing the password.

I agree no password is the best outcome, and WPA3 makes that finally no more dangerous than it needs to be.

I mean turn if off once guests are gone, yes it's not safe as everything on the network can be sniffed by your nosy neighbors, you can quanrentine this guest network from your ethernet to make it less revealing. It's meant to be a one-off thing to avoid hassle. Good to know they have that in WPA3.

In WPA3 the nosy neighbours can't sniff anything. If there is no password or they know it they can do an active MITM to get between users and your Access Point because it now uses a PAKE, but active attacks can be detected and would be a bit more than "nosy neighbours". If you use anything fancier than a password (including technologies like EduRoam or GovRoam, Active Directory login, whatever) any adversary has to attack that instead.

To the replies, it was a joke >_>

I think it'd have worked better if s/people/friends

To be a good host?

If you are going to write an article about this on a website with geek in the domain name, and post it to hacker news, you are going to have to get more technical than that.

Explaining the "WIFI:T:WPA" bit would have been nice to see.

At the bare minimum a link to an article that explains it would be necessary to meet the bar.

In the current state this article is a users level how to document, and fails to met the bar for an article targeted at "hackers".

If you are going to comment on threads on a website, how do you know where the "bar" is?

By reading the "Guidelines" [0], of course!

In fact, the very first item on that page is titled "What to Submit" and explains exactly where that bar is:

> On-Topic: Anything that good hackers would find interesting. That includes more than hacking and startups. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual curiosity.

Apparently enough of us found it "interesting" for it to show up on the front page.

(The time you spent writing your comment would have been better spent banging your head against the wall -- at least you might have something (a bruise) to show for it!)

[0]: https://news.ycombinator.com/newsguidelines.html

Your comment breaks hacker news guidelines.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact