I love QR code. I think it should be everywhere. All legal documents and forms should have one. All supermarket bills should have one.
It's a fantastic way to transition from paper to bits.
Unfortunately most users have no idea what it is. They don't know what a URL is, so a QR code is out of the question.
Plus they don't necessarily have a QR code scanner on their devices: not all phones have one by default, most laptops definitely don't. Not to mention some QRcode readers are sometimes just the regular camera app (E.G: modern iOS), which is very confusing. And even if all that is not a problem, your QRcode scanner may not be able to understand a particular format or will read the Wifi code but just display it while it's supposed to save it as a new access point.
It's definitely not a solved problem.
If I’m a spammer trying to get people to click on my bogus links in my email messages, why wouldn’t I also print those same URLs as QR codes and paste them around my city with creatively enticing titles.
Parent was referencing trusted contexts: the default password printed on your wifi router, the bill a cashier just handed you for what you just bought, the legal papers you just signed, etc. The QR code just links the trusted document with trustworthy digital versions & extended content.
I'm not worried a spammer is going to get a bogus QR printed on the grocery store receipt I just received. I'm not going to scan QR codes printed & posted on subway walls for no apparent reason.
I was visiting a nature reserve where the trail opened to a resting area with some seats. A tree had a woodcut QR code on it, so I thought I'd scan it to find out more about the area.
Turns out, the QR code linked to some tracking site with a short URL. Even worse, the short URL had since been deleted, so I have no way to know the original URL it went to.
Nope. I go to the sender's URL manually and look for what it is they sent an email about.
This is functionally the same as hovering over links in emails, which is the context in which I made my comment.
Users cannot check if a domain is "ok" by looking at it. You visit websites to discover what's there. A few years ago it was common knowledge that ".to" is shady and ".com" looks more legit. Now we have more TLDs than I can count. How is someone supposed to check that with visual inspection?
The way it should go: you scan a QR code. It gets interpreted into something useful that doesn't cause harm.
"Hey this QR would cause a 5€ transaction to Jon Doe. OK?" That's something the user can decide upon. payment://jon-doe:5€ doesn't help much.
(Edit: reading your post again, I realize it might be exactly what you have in mind)
Just compare with today's internet advertising. Legit websites are still full of somewhat malicious ads. And users click on it - of course, since that's what a website is for.
What I'm trying to make clear is that there is no such case where QR scanners, browsers or application may consider a safe context where the user implicitly consents with malicious actions by the QR/website/...
In a world where browsers are vulnerable to remote code execution, and a world where users do not run the latest version of a browser, and in a world where zero days exist in browers, it absolutely does matter.
Worked great for me on my last phone, and peace of mind knowing you aren’t being tracked.
Available to download on fdroid or the play store.
But QR code are not just for URL, they can contain up to 7k, which is a lot for text and numbers. And you can have several of them, use compression, etc.
Have you never come across phishing scams that looked eerily authentic only to be clued in by the fake url? I can read the URL before going to the website, and unless QR codes have a step where you have to manually confirm going to the url provided by the code (most don't) then that's a security risk
Not that it matters much for most users, as I said earlier, they blindly type url. They have no idea what it is.
You could put a warning saying "are you sure, this is going to kill your mother and steal all your money" and people would click on it if it's easy to do.
Nothing deterred the users. Warning dialogs were clicked past, obvious problems or mismatched information was ignored. The only way to stop users from giving their credentials to bad guys was what I call Brick Wall UX. The browser has to stubbornly refuse to let you do it. Unable to complete their task the user at last gives up.
This is a teachable moment. Your users are probably not going to be smarter, better informed or more cautious at least on average than in this test.
You must have some super-human ability to read a computer's mind if you can grok the kind of urls that usually come in emails like https://tinyurl.com/uvc58uq
Of course, if the email actually has a unique URL per recipient, then doing this gives away the fact that you interacted with the email.
The cost and risk of putting a sticker on a wall is much greater that that of sending a spam email. Legitimate advertisers already hire people for >$0 to do that. Illegitimate ones risk personal criminal prosecution because they have to be physically present.
In my opinion, the ability to use the native camera app to read a QR code significantly reduces the barriers-to-read for general users
Nowadays it seems anything that can do something FOR you usually does something TO you.
Forms and legal documents should all have an immutable official url and uuid anyway to point to their legal and administrative context.
My back-of-the-envelope calculations say you'd need 61 bits per line on a receipt just to encode UPC, quantity and price. So the largest QR code would only allow 19-50 lines. And that's without including data like the store name, special offers, means of payment and so on. Believe me, plenty of people buy more than 50 items in their supermarket christmas shop :)
Standardised digital receipts would be neat but, QR codes encoding the data ain't the way to go about it.
When the QR code is scanned, the browser opens to the URL, the remote side takes your "receipt ID", and presents you with a list of all the items you purchased.
I can't imagine any decent-sized retailer isn't already maintaining records like this.
That would be a neat way of exchanging a key.
If you use a crypto atm it will print out your wallet’s private and sometimes public keys as QR codes.
The qrencode tool has an 8 bit mode but not all decoders can handle binary data. For example, my phone shows me mangled results and I can't redirect them to a file. Like structured append, it doesn't seem to have much support.
I've sent patches to ZBar improving this:
Hopefully it will make QR codes more useful for storing keys and other small files.
You can use that if you wish, however there is an entirely separate and dedicated QR reader built into iOS that is accessible from control center. The icon to launch it is even a QR code which eliminates such “confusion”.
Interesting they added that when the camera app already scans QR codes. I wonder if it's an enterprise thing for devices in the field, where companies want to prevent the camera app (no photos), but need to scan codes.
They are not generic QR codes, but encoded instructions to access specific in-app features in WeChat/AliPay. If you scan those special codes with generic QR readers, you get invalid URLs.
IMO this makes it even worse to use generic QR codes, because if a QR code cannot be parsed by WeChat/AliPay, most Chinese users do not know what to do with it.
The ones you download from e-government in Turkey have QR codes. I think other e-documents have QR code too. You can validate them by using https://play.google.com/store/apps/details?id=tr.gov.turkiye...
In the west, yes, it's absolutely prolific in Asia though. Even the most technologically illiterate people over there know and use qr codes all the time. A huge divide.
On the other hand it could have been a great way to develop much better relationships with your customers. As a trivial example, I own a snowblower. It would be nice if there had been a QR code on the machine that identified that specific machine. I could have scanned it and immediately registered it with the manufacturer. Scanning the code could take you to a manufacturer page for your specific machine, where you could record routine maintenance like oil changes, get a copy of the manual, and order replacement parts. They could send you periodic reminders like, "it looks like it's been a while since an oil change", or "it's getting cold outside. Now's a good time to make sure everything is in shape".
There is a ton of stuff around the house that I need to record information about but have to have my own system. If the manufacturer provided a way to do that they could offer their expertise with the product and a convenient way for you to record that information. I'd love to have a QR code on the side of my HVAC system, water heater, filtration system, etc.
Painted as in with a brush and paint, it was a bit of work, but now it's both pragmatic and pretty :)
Who cares if my neighbors or people walking by can use it?
An it's not like I'm publicly advertising :)
If people want anonymous WiFi for nefarious purposes they can go to a cafe.
WPS was born to fix this, however the specification is so broken that it is literally useless from a secure standpoint.
For example, I've seen TVs that allow using a numeric keypad on the remote for entering digits in text and password fields, and require use of a clumsy on-screen keyboard for entering letters or punctuation. The on-screen keyboard is navigated with the up/down/left/right/ENTER buttons on the remote, and might have multiple shift states for case and punctuation requiring navigating to and pressing a shift key whenever the password has adjacent characters that need different shift states.
On such a TV, I'd rather enter a 39 character all numeric password than a 22 character alphanumeric password. Entering 39 characters on a hardware numeric keypad is way faster and way less error prone.
when we got new internet in our previous home i was forced to change our password that everyone had already set from previous use, because the new configuration interface didn't allow spaces. so i used underscores. then family visited and they had a tablet with a keyboard that didn't have underscores.
Creepy, but convenient.
You have to be shared contacts, have Bluetooth and wireless on. There might be others that I don’t remember
qr some text
I think I'll start using this a lot!
Fun fact no one has ever actually scanned the code... ever! Maybe if I was a cafe but not for house guests.
"Scan" sounds to them like some separate action that they would need to know how to do. But at least on iOS all it takes is opening the camera and pointing it at the code - you get a pop up notification asking you to join the network.
I bet people know how to point the camera at something even if they don't think they know how to scan it.
And Google charts: https://chart.googleapis.com/chart?chs=150x150&cht=qr&chl=WI...
NFC stickers cost approximately nothing, and you can program them using an app on your phone.
Android 10 made som more specific features for this, such as automatically generating the QR code for others and scanning QR directly from the wifi settings.
The 3rd party application usually is just your bundled camera app.
Almost every manufacturer ships their own camera app so it is hard to know what features are present given a certain Android phone.
Update: Actually it works with the build-in Camera. Point to QR, it decodes it and shows SSID and password, there's a wifi icon button, and pressing that immediately connects.
If, for whatever reason, you wanted to do this with older iOS you had to use a configuration profile. This would be distributed as a PList that you'd link to in the QR code. Which means the device needs to be connected to a network to download it first. A captive portal could help with that, or put it on the internet maybe protected with a geofence so you're not advertising your password to the world.
I have Android 8.1.0 (LineageOS 15.1), and a generic 'barcode reader' app (https://play.google.com/store/apps/details?id=com.google.zxi...) and it works just fine.
Open the barcode scanner app, scan QR code, and it says "Requesting access to network'
When I use a third-party reader it shows that a password containing special characters really confuses this particular notation, since colons and semicolons are also used for field delimiters. Even if I escape them when passing the argument to qrencode, the parser app stumbles on them.
On another note I find it quite awkward that the feature is buried in that dialog on Android. You even need to tap on the network you want to connect to when that information is already in the qr code.
On my OnePlus 6T the scan QR code button  is next to 'Add network' so you don't have to select the Wi-Fi network first.
Bonus: I can also share my WiFi settings by opening a QR code on my phones display.
”If you use lower-case, upper-case, and digits, and if you generate it truly randomly, then a 16-character password has 95 bits of entropy. That is more than sufficient.”
It’s funny that friend goes to the effort of a super long password, but then lets people connect to it.
For this project, on first boot the device creates an AP, then displays a QR code containing SSID and key (along with text version of the same) that the user can connect to. Upon connection a captive portal will redirect the user to the configuration page, allowing the user to select the desired SSD and configure other essential values.
If you have a phone handy, just scan the display, accept the prompt to connect, and the next thing you see if the configuration page popping up as Apple and Android detect it as a login page.
I put together a two-page PDF, page size about 4 inches by 6 inches. One side had the info for the main network; the other side had the info for the guest network. "the info" included the SSID, the password, and a large QR code.
I then sent the PDF to FedEx, printed on card stock, double-sided, and laminated, with instructions to cut the excess paper away before laminating. The result was a nicely-put-together "quick reference" card that my parents can use for whatever needed. If my parents get a new phone, putting it on WiFi is as simple as a QR-code scan.
Or I suppose just use the cli tools, as mentioned, for extra safety...
Arguably it is easier to verify that a webapp is not sending the data to a 3rd party, than it is to verify that the CLI tool doesn't (easy network inspection from the developer tools).
However sure, having the piece of mind that this will not happen may still make it more worth it do it yourself.
But it makes rather confusing on how to connect it on an e.g. laptop without having to scan the QR code with the mobile device first. If the password is 63-char length, typing it wouldn't be 'quick'.
Well that’s surprising and nice.
Remember to URL encode the SSID en PASSWORD if you have any characters that can't go into a URL. (Also, you have to trust Google to not store that URL anywhere)
(as do apple btw.)
You also have to trust Google to still be operating the service by the time you come to use it.
But what about all those other random WiFi devices? I don’t relish the thought of entering 63 characters into my printer’s goofy interface, a games console, my car, etc...
You know nothing john snow.
Tesla already has a “Allow remote access” toggle, which defaults to OFF, that prevents you from connecting to it via the app etc.
(Whether this fully prevents Tesla connecting to it remotely, I’m not so sure...)
Create your Home wifi QR code https://modemly.com/qrcode
You can immediately generate QR codes from it using this link: http://bwip-js.metafloor.com/demo/demo.html
I use BWIP-JS in my electron app. Love it. Super easy and reliable way to print barcodes on a label printer using nice UI: https://label.live
And maybe somehow a script that rotates the password updating the Kindle.
Sits on the kitchen counter. Guest password is rotated and the display is auto-updated.
The raspberrypi is running MagicMirror, but I just have it outputting to a small display (7"). Looks great.
I use a Ubiquiti wifi AP and it has an API to change the guest password.
This editor supports wifi qr codes
In WPA3 finally the no password ("guest") case has randomly chosen keys using RFC 8110 instead of being unencrypted, so it's equivalent security to everybody knowing the password.
I agree no password is the best outcome, and WPA3 makes that finally no more dangerous than it needs to be.
Explaining the "WIFI:T:WPA" bit would have been nice to see.
At the bare minimum a link to an article that explains it would be necessary to meet the bar.
In the current state this article is a users level how to document, and fails to met the bar for an article targeted at "hackers".
By reading the "Guidelines" , of course!
In fact, the very first item on that page is titled "What to Submit" and explains exactly where that bar is:
> On-Topic: Anything that good hackers would find interesting. That includes more than hacking and startups. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual curiosity.
Apparently enough of us found it "interesting" for it to show up on the front page.
(The time you spent writing your comment would have been better spent banging your head against the wall -- at least you might have something (a bruise) to show for it!)