Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Print a WiFi Login Card (bdw.to)
305 points by bndw 41 days ago | hide | past | favorite | 88 comments

I just did this the other day using the newest version (6.4.4) of LibreOffice Writer. It has a QR Code generator built in.

As mentioned by someone else it uses the form of:

Wikipedia has information on this https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...

Section of the Wikipedia article:

Joining a Wi‑Fi network

By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.

The format of the encoded string is:

Order of fields does not matter. Special characters """ (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped with a backslash ("\") as in MECARD encoding. For example, if an SSID were "foo;bar\baz", with quotation marks part of the literal SSID name itself, this would be encoded as: WIFI:S:\"foo\;bar\\baz\";;

As of January 2018, iPhones have this feature built into the camera app under iOS 11.x. Android users may have the feature built into one of the device's stock apps (e.g. Samsung Galaxy S8/S8+/Note8 users can launch the stock browser, tap the browser's 3-dot menu, then choose "Scan QR code") or can install one of several available free apps such as "Barcode Scanner" or "QR Droid" to perform the QR Wi-Fi join.

Typical Samsung, putting the feature inside their stock browser (which I've disabled) instead of the camera where it makes sense.

I have an S8, the camera reads QR codes fine. It looks like you may have to enable a setting the first time you read a QR code, after that it will do automatically and ask if you want to follow the link.


On my Note 8 this feature works directly in the stock camera app. I didn't know about this, but I just tested it on the linked site and it works.

That's strange. I just tried it on my Note 9. It recognizes the QR code but just displays the unformatted WiFi string. Doesn't attempt to connect at all.

Very odd! I tested a friend's Note 9 and it works there too. Both phones are on T-Mobile with their latest Android update.

The Note 9 is Android 10, One UI 2.0, build QP1A.190711.020.N960USQS3DTB2.

The Note 8 is Android 9, One UI 1.0, build PPR1.180610.011.N950USQU7DTC1.

The QR code that it initially displays is invalid, type any text into the SSID/pass fields and it will work

This was likely the issue. I was testing it on the Netgear Orbi which seems to have a malformed string in their we codes.

I don't want the camera to "think", I want it just to take photos. Otherwise someone can spread small stickers with QR commands/URLs and your phone is trying to connect to www.sex-pills-malware.com/download-nasty-file.html

XKCD's bobby tables comes to mind. Sanitize your inputs. If you point & click and you immediately process what your camera sees, there is great risk in that.

I want a photo to be a photo. If I want to scan a QR code for the purpose of scanning a QR code, I use some special app (and Ι block it's Wifi/3G connectivity to enusre the QR app will not leak what Ι just photographed).

Edit: I follow the Steve Gibson school of thought. I want the "thing" to do the "thing", and nothing but the "thing". Camera should do camera-ing (adjust camera-related-attributes). QR app should do QR-app-things (show me in clear text the QR code and ask me what do I want to do with it)(register WiFi, visit a website, etc).

Without trying to be funny, perhaps you should use a camera then and not a phone, to take photos? You're already in the realm of your device doing many more things than "the thing".

As for scanning automatically, no camera app based scanner I have witnessed performs any action in response to finding a QR without user input. Of course this could still happen accidently or by the QRs content finding some vulnerability.

At the end of the day, I think QR scanning in the camera is the obvious solution to non-hacker-news-browsing-people, and to make it go mainstream it needs to be accessible.

In spite of the above, I still agree with you, and use a barcode scanner from f-droid myself.

IME the screen just shows a link icon when it detects a qr code, when the user taps the icon, the URL is displayed, and then the user taps again to browse to it / download / accept settings etc.

Even my Mum's old Moto G4 has this feature in the Camera.

I've been using a shell alias to call `qrencode` with the appropriate details for a few years now.

Also, android will display such QR code if you go to your wifi settings so you can connect other devices easily.

What android version?

It was my understanding that the android security model doesn't allow this - specifically the settings permission let's you connect to a new network, but not to get the password back for an already saved network.

At last my Pixel 3a have that option. On the network settings you can click "share" and it will give you a qr code as well as show the password in cleartext in the screen. It does require you to enter your password or scan your digital to go there.

I've seen it since 9, I don't recall seeing it in 8, but it's also hard to tell where I've seen it due to manufacturer customisation.

I think it came in roughly 9 though.

My Pocophone F1 has a button to generate a QR code from a network in the settings app, I guess they added a special permission for it.

On my Samsung 9+ with Android 10 it is under WiFi, settings, button on the bottom of the screen.

You're right but the UI that they're referring to is in a system app

Whatever is currently on the OnePlus 6 does it.

Per https://github.com/bndw/wifi-card/blob/5d7fbbda1e8eac5802c8d..., the QR code text is of this form:

https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-n... seems to be where this format came from. (That page describes various other forms of QR codes too.)

bndw: looks like some characters need escaping: backslash, semicolon, comma and colon. Maybe more too, given the treatment of double quotes in that last link (I’ve filed https://github.com/zxing/zxing/issues/1292 about that inconsistency).

Ah I just read through the code to figure this out, because I wanted to know what other formats exist. Should’ve checked the comments first. Thanks :)

Another fun bug report: I entered lots of input, and the page suddenly went blank. In the console:

  Error: code length overflow. (28252>23648)
So yeah, seems like all you have to do is paste 24KB of data in and it blows up. :)

I see this failure mode in React apps a lot, where a bug causes an exception to be thrown, and the page just vanishes in a puff of smoke, as though it never was.

Half the time I’ve seen this failure mode it’s also been combined with persisting the bad value, so that the site is permanently broken until you can unpersist the value (e.g. clear localStorage or IndexedDB or cookie; but if the bad value is stored on a server you’re truly stuck).

The impression I’ve taken away is that it’s entirely unacceptable for a React component to throw an exception, because it will immediately destroy everything. Wonder how common such failures actually are, and whether there’s anything React itself could do about it (my guess is not).

Thanks, fixed. TIL ssids have a max char count of 32:


FYI, maxlength is actually not enough to protect against people like me that are determined to break things for fun: Firefox 77 starts letting you exceed maxlength if pasting text in, to protect against accidental truncation. See https://www.fxsitecompat.dev/en-CA/docs/2020/text-exceeding-....

You may say it’s a fairly contrived failure, but it’s easily possible, and plausible if the user thinks they copied the password onto the clipboard, but actually those paragraphs of text they copied earlier are still on the clipboard. That sort of thing happens to people that use the clipboard (e.g. me) not uncommonly.

All good. This was a random weekend hack project meant to solve a specific, personal need. Figured I'd share it out in case others were interested.

I'm glad it's sparked your curiosity but I hope you'll understand the intent. I'd be happy to accept PR's if you'd like to contribute!

Who cares that you're "determined" to break the client for yourself?

It's like bragging that you can inspect element to change your bank balance.

This is what React error boundaries are for, containing the exception and optionally showing a fallback or error.

Neat. You can find more supported QR codes for iOS here-- https://developer.apple.com/videos/play/tech-talks/206/ (I couldn't find docs but you can skip around the video, starts at 1:11).

Nice! I didn't realise that iOS supports QR codes out of the box now.

They added support built into the camera app starting with iOS 11 (released in 2018).


You can also generate them via Siri Shortcuts now, I wrote a simple shortcut that’s shown on the share sheet, so I can share WiFi credentials from 1Password via QR code.

The shortcut is just regex match the base station, password and security from the text 1Password shares, then format it as WIFI:S:<ssid>;T:<security>;P:<password>;; and then pipe that to the Generate QR code action.

Woah, do not get into the habit of putting your wifi network password into a website if you care about security. This particular site might or might not collect it now but it's a terrible habit to put your sensitive data into another site.

Imagine if this was a web-based password strength meter.

In WPA2 and earlier it makes sense to have a WiFi password even if it isn't secret from anyone.

Without a WiFi password these versions communicate in plaintext, so a passive adversary can snoop everything, choosing a password switches on encryption and thus protects against passive eavesdroppers.

Only in WPA3 do networks with no password get encryption to protect you from passive eavesdroppers.

Obviously an active MitM can work regardless, but that's trickier to attempt and unavoidably subject to detection.

If you "care about security" in the sense of not wanting random people to connect then you should not use "Personal mode" which is garbage in all versions of WPA because it relies on a shared human memorable password and (say it after me) human memorable passwords are garbage.

Use whichever of the terrible 802.1x alternatives best fits your scenario, as these authenticate specific users rather than relying on a single shared password. You can federate to allow large groups of people with something in common to all use all the networks in the federation. For students (and academic staff) most tertiary education sites in the world now offer Eduroam for example.

Or, give it all up as a bad job, and (with the caveat at the top about preventing passive eavesdropping) just stop trying to fence off your network and accept that it's the Internet and you'll need a BeyondCorp / Zero Trust security model.

WPA doesn't rely on a "human memorable password". You can generate a random 63 character string to use.

The point of QR for this is to be able to actually share that high entropy 63 character string so you don't have to use a "human memorable password".

Fair point. Thanks.

I think the OP was saying that it is not a good thing to encourage people inputting their personal passwords to untrusted websites. They weren't commenting on the need to put passwords on wifi networks.

> I think the OP was saying that it is not a good thing to encourage people inputting their personal passwords to untrusted websites.

I dunno, the comment clearly says you shouldn't be putting wifi network passwords into websites, not passwords in general.

> They weren't commenting on the need to put passwords on wifi networks.

The thesis of the reply was "it makes sense to have a WiFi password even if it isn't secret". That's directly about whether it's okay to put a wifi password into a website.

True. How else would one implement this as a workaround for security? Perhaps a locally running version of the same thing that hopefully doesn't upload the data back to some server?

Edit: some users already commented in another thread about pacakges that can do it instead.

You can use `qrencode` on your local machine.


Haha, my first thought as well. Went ahead and just starred the Github page and I'll run it locally if I ever care to use it.

An idea that's been kicking around in my head is a widget with an e-ink display for hackerspaces, cafés, and other multi-user spaces that displays the a password-of-the-day along with a qrcode for easy login. Heck, include an NFC chip that hands out application/vnd.wfa.wsc objects as well.

I'm not sure how useful it would be beyond the cool factor, of course … the cafés in my area don't seem to change their wifi passwords often at all, so I assume they're not very concerned about leeching. The typical practice of printing it on a receipt or writing it on the board next to the soup-of-the-day is probably hard to beat.

Typically you’d just use a captive portal with sessions that time out. That’s sufficient to keep away all but the most determined leechers.

Unfortunately they are really annoying to use.

I’d much rather use a captive portal than hunt for the 4” e-ink device hiding in a place of business.

They’re definitely not perfect though and you find some truly annoying configurations when you’re out in the world of public WiFi but for the most part it works.

What have been your frustrations with them? I’ve found them dead easy to setup and implement

they are annoying for users. they are the reason sites like NeverSSL exist, for instance.

You know, it's been a while since I've seen a captive portal in the wild, aside from airports and municipal wifi. Which pleases me, since, like other users here, I find them fairly annoying.

Can someone give a short explaination as to how it works in the backend? The QR code contains username and password. But how does my phone's QR scanner know that its an SSID/pw and eventually connects to the network?

See this comment: https://news.ycombinator.com/item?id=23371188

Presumably the camera app recognizes “WIFI:” as a protocol string and passes the details along to the system settings.

Yes I saw, that is what the QR code contains (username and password of the WIFI). But I do not understand what my phone does when it sees that. There are tons of dubmbed-down articles on "how-to" instructions but none explaining the backend stuff happening on my phone's side.

Also found qifi.org that does a similar thing.

it sounds to me like it's a custom url scheme built into ios.


It's vCard, not URL.

The Zxing barcode scanner app does it this way: This [0] is the dispatch code. If it detects WIFI as type, it passes it to a WifiConfigManager [1] which then talks to Android's WifiManager API. On the back end, the addOrUpdateNetwork function of WifiManager [3] calls the method with the same name of IWifiManager [4]. That class has a channel to a WifiStateMachine [5] which sends a message with the command CMD_ADD_OR_UPDATE_NETWORK. It's handled in the same file (but I suppose it's in a different process, now a privileged system process), and calls the addOrUpdateNetwork function of WifiConfigStore [6].

The WifiConfigStore stores its config into a wpa_supplicant compatible file. The file is then passed to the wpa_supplicant service, which is also present on other Linux distros like the GNU/Linux ones, although here the config file is built by a dedicated NetworkManager service (also, some intel folks are building a replacement IIRC). wpa_supplicant is a privileged service that talks to the WiFi card drivers.

[0]: https://github.com/zxing/zxing/blob/0cf3b9be71680f50c90a71ca...

[1]: https://github.com/zxing/zxing/blob/0b9b39a74fb3d7b010fb2979...

[2]: https://developer.android.com/reference/android/net/wifi/Wif...

[3]: https://android.googlesource.com/platform/frameworks/base/+/...

[4]: https://android.googlesource.com/platform/frameworks/opt/net...

[5]: https://android.googlesource.com/platform/frameworks/base/+/...

[6]: https://android.googlesource.com/platform/frameworks/opt/net...

I like the interface and that it doesn't need a server to generate the QR image, but it doesn't work for my network ¯\_(ツ)_/¯

Edit: perhaps I should clarify that that's my network's name. In the qr code reader it shows up as ¯_(ツ)_/¯ and it's stored in wpa_supplicant.conf as c2af5f28e38384295f2fc2af (indeed missing the backslash).

Hah, I noticed the lack of escaping when skimming the code (see my comment—workaround until fixed will be for you to double the backslash yourself) but didn’t expect it to actually affect anyone. Don’t think I’ve never seen a backslash, semicolon, comma or colon in an SSID. Or non-ASCII!

Since finding out SSIDs are not limited to 7-bit ASCII or something, my networks have never been the same.

Hmm, but it looks like under WPA-Personal keys are still limited to printable ASCII?

Those you actually have to enter, though, so I never set those to anything that wouldn't be available on a standard keyboard.

Lovely! Is it possible to inject SSID and passphrase parameters as env vars into the Docker container and have a png or pdf render without the web interface?

Edit: Thank you to those who replied!

You can generate QR codes using qrencode (available in most distros package repos), as follows:

qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"

qrencode is in debian/ubuntu (https://fukuchi.org/works/qrencode/)

    qrencode -t ansiutf8 'WIFI:T:WPA;S:{ssid};P:{password};;'
No docker required ...

I’m on a Mac, so I would need Docker if the tool wasn’t built for Mac (only Linux).

No, you can just install it via Homebrew.

brew install qrencode

Good to know! Thank you!

Combine this with a small/cheap e-paper display and dd-wrt on your wifi router and you have the tools for auto generating and displaying a new daily guest password.

Be a decent solution for a business that wants to offer guest wifi with a little less risk of abuse.

Or for free: use that old smart phone in your drawer.

But that would cost you battery all the time, while the e paper would just need power to update the qr code

Good point. Dig out that old kindle!

I made one of these before a party and put it up by the door for the guest wifi. It was great because I didn't have to tell anyone the wifi password during the party!

This should be a feature of password managers, or at least password managers that have a separate item type for wireless networks.

Someone suggested it on the 1Password forums [1] and one of their employees said it it was a great idea and would pass it to the development team, but that was in September, 2017, so apparently it didn't go anywhere.

About 18 months ago, someone suggested it on /r/1password [2], and again someone from 1Password liked it and said they would pass it on to the devs.

[1] https://discussions.agilebits.com/discussion/82070/feature-r...

[2] https://www.reddit.com/r/1Password/comments/a1udg2/feature_r...

I've created an iOS Shortcut to do this:


I've tried to use these before, but since my SSID is [the poop emoji] (which i've just learned is verboten on HN) and the password is 64 characters of hex, I've never gotten it to work, and have exposed bugs in lots of shitty wifi hardware and software. 64 char hex is what a regular 8-63 char password is hashed to for encryption. Specifying it directly as 64 char hex is in spec, and should be supported in software or hardware that's made properly.

Emoji SSID just kind of works in most cases, because an encoding was never specified for that string, afaik.

TL;DR: I shoot myself in the foot for entertainment.

According to the 2012 spec, the SSID _can_ have an encoding. It can optionally be either the previous byte buffer without any real limitation to it, or UTF-8 encoding.

So as hex, you would need to try both of these for your ssid: U+1F4A9 or F0 9F 92 A9

Unfortunately, encoding to UTF-8 and setting a BOM won't guarantee this will work for you, because most QR decoders actually use heuristics to guess the encoding of the text.

You can make it behave a little better by setting ECI (to specify the encoding) when creating your QR code, but even though that was introduced in 2000, most QR decoders don't have ECI implemented.

Your best bet is to try UTF-8 encoding of the emoji first, and then fallback to the unicode representation.

Recently came across a QR Coder [1] that can generate for a variety of different purposes, including Wifi (e.g., Bookmarks, Email, Contact, GeoLocation, SMS, URL link, etc.) - the same website also has a encoder/decoder and an API [2], but I've not tried those features.

[1] http://niftypdf.com/Barcoder/QRCoder [2] http://niftypdf.com/Barcoder/API

This is incredibly useful, I didn't know our phones had this feature.

Might be a dumb question but how do you scan a QR code like this on Android without a 3rd party app? The only way I've ever known to scan QR codes is by scanning from within WeChat.

For OS versions without built in scanner, or where the scanner is some garbage from your hardware vendor, there's an open source scanner both on f-droid and on the google play store if that has your fancy. I've been using it forever and so far it supported everything I threw at it.


Support for this is built in to the stock camera app for Android 10.

The Google Lens app also works.

Neat. I investigated doing something like this a few weeks ago, but it turned out there's a site that has a variety of QR code tools:


(not trying to advertise the site, just saying it wasn't worth my time to reinvent something)

Do all Android and iOS devices support this feature?

iOS since 11.0 (2017, >98% of iOS users today): https://en.wikipedia.org/wiki/IOS_11#Other_changes

I don't know what version it was introduced, but this has been around for quite a while and doesn't rely on proprietary google services or anything, so I expect all phones have it (though maybe your QR code reader needs to support the format).

This is convenient and easy to use. It would be nice to be able to print multiple access points with one print.

Maybe someone will sell wifi routers with cute little LCD screens in them that show this QR code?

I like how it ignores WEP. Don't use WEP.

Looks pretty useful.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact