By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.
Order of fields does not matter. Special characters """ (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped with a backslash ("\") as in MECARD encoding. For example, if an SSID were "foo;bar\baz", with quotation marks part of the literal SSID name itself, this would be encoded as: WIFI:S:\"foo\;bar\\baz\";;
As of January 2018, iPhones have this feature built into the camera app under iOS 11.x. Android users may have the feature built into one of the device's stock apps (e.g. Samsung Galaxy S8/S8+/Note8 users can launch the stock browser, tap the browser's 3-dot menu, then choose "Scan QR code") or can install one of several available free apps such as "Barcode Scanner" or "QR Droid" to perform the QR Wi-Fi join.
I have an S8, the camera reads QR codes fine.
It looks like you may have to enable a setting the first time you read a QR code, after that it will do automatically and ask if you want to follow the link.
That's strange. I just tried it on my Note 9. It recognizes the QR code but just displays the unformatted WiFi string. Doesn't attempt to connect at all.
I don't want the camera to "think", I want it just to take photos. Otherwise someone can spread small stickers with QR commands/URLs and your phone is trying to connect to www.sex-pills-malware.com/download-nasty-file.html
XKCD's bobby tables comes to mind. Sanitize your inputs. If you point & click and you immediately process what your camera sees, there is great risk in that.
I want a photo to be a photo. If I want to scan a QR code for the purpose of scanning a QR code, I use some special app (and Ι block it's Wifi/3G connectivity to enusre the QR app will not leak what Ι just photographed).
Edit: I follow the Steve Gibson school of thought. I want the "thing" to do the "thing", and nothing but the "thing". Camera should do camera-ing (adjust camera-related-attributes). QR app should do QR-app-things (show me in clear text the QR code and ask me what do I want to do with it)(register WiFi, visit a website, etc).
Without trying to be funny, perhaps you should use a camera then and not a phone, to take photos? You're already in the realm of your device doing many more things than "the thing".
As for scanning automatically, no camera app based scanner I have witnessed performs any action in response to finding a QR without user input. Of course this could still happen accidently or by the QRs content finding some vulnerability.
At the end of the day, I think QR scanning in the camera is the obvious solution to non-hacker-news-browsing-people, and to make it go mainstream it needs to be accessible.
In spite of the above, I still agree with you, and use a barcode scanner from f-droid myself.
IME the screen just shows a link icon when it detects a qr code, when the user taps the icon, the URL is displayed, and then the user taps again to browse to it / download / accept settings etc.
It was my understanding that the android security model doesn't allow this - specifically the settings permission let's you connect to a new network, but not to get the password back for an already saved network.
At last my Pixel 3a have that option. On the network settings you can click "share" and it will give you a qr code as well as show the password in cleartext in the screen. It does require you to enter your password or scan your digital to go there.
bndw: looks like some characters need escaping: backslash, semicolon, comma and colon. Maybe more too, given the treatment of double quotes in that last link (I’ve filed https://github.com/zxing/zxing/issues/1292 about that inconsistency).
Another fun bug report: I entered lots of input, and the page suddenly went blank. In the console:
Error: code length overflow. (28252>23648)
So yeah, seems like all you have to do is paste 24KB of data in and it blows up. :)
I see this failure mode in React apps a lot, where a bug causes an exception to be thrown, and the page just vanishes in a puff of smoke, as though it never was.
Half the time I’ve seen this failure mode it’s also been combined with persisting the bad value, so that the site is permanently broken until you can unpersist the value (e.g. clear localStorage or IndexedDB or cookie; but if the bad value is stored on a server you’re truly stuck).
The impression I’ve taken away is that it’s entirely unacceptable for a React component to throw an exception, because it will immediately destroy everything. Wonder how common such failures actually are, and whether there’s anything React itself could do about it (my guess is not).
FYI, maxlength is actually not enough to protect against people like me that are determined to break things for fun: Firefox 77 starts letting you exceed maxlength if pasting text in, to protect against accidental truncation. See https://www.fxsitecompat.dev/en-CA/docs/2020/text-exceeding-....
You may say it’s a fairly contrived failure, but it’s easily possible, and plausible if the user thinks they copied the password onto the clipboard, but actually those paragraphs of text they copied earlier are still on the clipboard. That sort of thing happens to people that use the clipboard (e.g. me) not uncommonly.
You can also generate them via Siri Shortcuts now, I wrote a simple shortcut that’s shown on the share sheet, so I can share WiFi credentials from 1Password via QR code.
The shortcut is just regex match the base station, password and security from the text 1Password shares, then format it as WIFI:S:<ssid>;T:<security>;P:<password>;; and then pipe that to the Generate QR code action.
Woah, do not get into the habit of putting your wifi network password into a website if you care about security. This particular site might or might not collect it now but it's a terrible habit to put your sensitive data into another site.
Imagine if this was a web-based password strength meter.
In WPA2 and earlier it makes sense to have a WiFi password even if it isn't secret from anyone.
Without a WiFi password these versions communicate in plaintext, so a passive adversary can snoop everything, choosing a password switches on encryption and thus protects against passive eavesdroppers.
Only in WPA3 do networks with no password get encryption to protect you from passive eavesdroppers.
Obviously an active MitM can work regardless, but that's trickier to attempt and unavoidably subject to detection.
If you "care about security" in the sense of not wanting random people to connect then you should not use "Personal mode" which is garbage in all versions of WPA because it relies on a shared human memorable password and (say it after me) human memorable passwords are garbage.
Use whichever of the terrible 802.1x alternatives best fits your scenario, as these authenticate specific users rather than relying on a single shared password. You can federate to allow large groups of people with something in common to all use all the networks in the federation. For students (and academic staff) most tertiary education sites in the world now offer Eduroam for example.
Or, give it all up as a bad job, and (with the caveat at the top about preventing passive eavesdropping) just stop trying to fence off your network and accept that it's the Internet and you'll need a BeyondCorp / Zero Trust security model.
I think the OP was saying that it is not a good thing to encourage people inputting their personal passwords to untrusted websites. They weren't commenting on the need to put passwords on wifi networks.
> I think the OP was saying that it is not a good thing to encourage people inputting their personal passwords to untrusted websites.
I dunno, the comment clearly says you shouldn't be putting wifi network passwords into websites, not passwords in general.
> They weren't commenting on the need to put passwords on wifi networks.
The thesis of the reply was "it makes sense to have a WiFi password even if it isn't secret". That's directly about whether it's okay to put a wifi password into a website.
True. How else would one implement this as a workaround for security? Perhaps a locally running version of the same thing that hopefully doesn't upload the data back to some server?
Edit: some users already commented in another thread about pacakges that can do it instead.
An idea that's been kicking around in my head is a widget with an e-ink display for hackerspaces, cafés, and other multi-user spaces that displays the a password-of-the-day along with a qrcode for easy login. Heck, include an NFC chip that hands out application/vnd.wfa.wsc objects as well.
I'm not sure how useful it would be beyond the cool factor, of course … the cafés in my area don't seem to change their wifi passwords often at all, so I assume they're not very concerned about leeching. The typical practice of printing it on a receipt or writing it on the board next to the soup-of-the-day is probably hard to beat.
I’d much rather use a captive portal than hunt for the 4” e-ink device hiding in a place of business.
They’re definitely not perfect though and you find some truly annoying configurations when you’re out in the world of public WiFi but for the most part it works.
You know, it's been a while since I've seen a captive portal in the wild, aside from airports and municipal wifi. Which pleases me, since, like other users here, I find them fairly annoying.
Can someone give a short explaination as to how it works in the backend? The QR code contains username and password. But how does my phone's QR scanner know that its an SSID/pw and eventually connects to the network?
Yes I saw, that is what the QR code contains (username and password of the WIFI). But I do not understand what my phone does when it sees that. There are tons of dubmbed-down articles on "how-to" instructions but none explaining the backend stuff happening on my phone's side.
The Zxing barcode scanner app does it this way: This [0] is the dispatch code. If it detects WIFI as type, it passes it to a WifiConfigManager [1] which then talks to Android's WifiManager API. On the back end, the addOrUpdateNetwork function of WifiManager [3] calls the method with the same name of IWifiManager [4]. That class has a channel to a WifiStateMachine [5] which sends a message with the command CMD_ADD_OR_UPDATE_NETWORK. It's handled in the same file (but I suppose it's in a different process, now a privileged system process), and calls the addOrUpdateNetwork function of WifiConfigStore [6].
The WifiConfigStore stores its config into a wpa_supplicant compatible file. The file is then passed to the wpa_supplicant service, which is also present on other Linux distros like the GNU/Linux ones, although here the config file is built by a dedicated NetworkManager service (also, some intel folks are building a replacement IIRC). wpa_supplicant is a privileged service that talks to the WiFi card drivers.
I like the interface and that it doesn't need a server to generate the QR image, but it doesn't work for my network ¯\_(ツ)_/¯
Edit: perhaps I should clarify that that's my network's name. In the qr code reader it shows up as ¯_(ツ)_/¯ and it's stored in wpa_supplicant.conf as c2af5f28e38384295f2fc2af (indeed missing the backslash).
Hah, I noticed the lack of escaping when skimming the code (see my comment—workaround until fixed will be for you to double the backslash yourself) but didn’t expect it to actually affect anyone. Don’t think I’ve never seen a backslash, semicolon, comma or colon in an SSID. Or non-ASCII!
Lovely! Is it possible to inject SSID and passphrase parameters as env vars into the Docker container and have a png or pdf render without the web interface?
Combine this with a small/cheap e-paper display and dd-wrt on your wifi router and you have the tools for auto generating and displaying a new daily guest password.
Be a decent solution for a business that wants to offer guest wifi with a little less risk of abuse.
I made one of these before a party and put it up by the door for the guest wifi. It was great because I didn't have to tell anyone the wifi password during the party!
This should be a feature of password managers, or at least password managers that have a separate item type for wireless networks.
Someone suggested it on the 1Password forums [1] and one of their employees said it it was a great idea and would pass it to the development team, but that was in September, 2017, so apparently it didn't go anywhere.
About 18 months ago, someone suggested it on /r/1password [2], and again someone from 1Password liked it and said they would pass it on to the devs.
I've tried to use these before, but since my SSID is [the poop emoji] (which i've just learned is verboten on HN) and the password is 64 characters of hex, I've never gotten it to work, and have exposed bugs in lots of shitty wifi hardware and software. 64 char hex is what a regular 8-63 char password is hashed to for encryption. Specifying it directly as 64 char hex is in spec, and should be supported in software or hardware that's made properly.
Emoji SSID just kind of works in most cases, because an encoding was never specified for that string, afaik.
TL;DR: I shoot myself in the foot for entertainment.
According to the 2012 spec, the SSID _can_ have an encoding. It can optionally be either the previous byte buffer without any real limitation to it, or UTF-8 encoding.
So as hex, you would need to try both of these for your ssid: U+1F4A9 or F0 9F 92 A9
Unfortunately, encoding to UTF-8 and setting a BOM won't guarantee this will work for you, because most QR decoders actually use heuristics to guess the encoding of the text.
You can make it behave a little better by setting ECI (to specify the encoding) when creating your QR code, but even though that was introduced in 2000, most QR decoders don't have ECI implemented.
Your best bet is to try UTF-8 encoding of the emoji first, and then fallback to the unicode representation.
Recently came across a QR Coder [1] that can generate for a variety of different purposes, including Wifi (e.g., Bookmarks, Email, Contact, GeoLocation, SMS, URL link, etc.) - the same website also has a encoder/decoder and an API [2], but I've not tried those features.
Might be a dumb question but how do you scan a QR code like this on Android without a 3rd party app? The only way I've ever known to scan QR codes is by scanning from within WeChat.
For OS versions without built in scanner, or where the scanner is some garbage from your hardware vendor, there's an open source scanner both on f-droid and on the google play store if that has your fancy. I've been using it forever and so far it supported everything I threw at it.
I don't know what version it was introduced, but this has been around for quite a while and doesn't rely on proprietary google services or anything, so I expect all phones have it (though maybe your QR code reader needs to support the format).
As mentioned by someone else it uses the form of:
Wikipedia has information on this https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...Section of the Wikipedia article:
Joining a Wi‑Fi network
By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.
The format of the encoded string is:
Order of fields does not matter. Special characters """ (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and "\" (backslash) should be escaped with a backslash ("\") as in MECARD encoding. For example, if an SSID were "foo;bar\baz", with quotation marks part of the literal SSID name itself, this would be encoded as: WIFI:S:\"foo\;bar\\baz\";;As of January 2018, iPhones have this feature built into the camera app under iOS 11.x. Android users may have the feature built into one of the device's stock apps (e.g. Samsung Galaxy S8/S8+/Note8 users can launch the stock browser, tap the browser's 3-dot menu, then choose "Scan QR code") or can install one of several available free apps such as "Barcode Scanner" or "QR Droid" to perform the QR Wi-Fi join.
https://www.samsung.com/au/support/mobile-devices/samsung-qr...
The Note 9 is Android 10, One UI 2.0, build QP1A.190711.020.N960USQS3DTB2.
The Note 8 is Android 9, One UI 1.0, build PPR1.180610.011.N950USQU7DTC1.
XKCD's bobby tables comes to mind. Sanitize your inputs. If you point & click and you immediately process what your camera sees, there is great risk in that.
I want a photo to be a photo. If I want to scan a QR code for the purpose of scanning a QR code, I use some special app (and Ι block it's Wifi/3G connectivity to enusre the QR app will not leak what Ι just photographed).
Edit: I follow the Steve Gibson school of thought. I want the "thing" to do the "thing", and nothing but the "thing". Camera should do camera-ing (adjust camera-related-attributes). QR app should do QR-app-things (show me in clear text the QR code and ask me what do I want to do with it)(register WiFi, visit a website, etc).
As for scanning automatically, no camera app based scanner I have witnessed performs any action in response to finding a QR without user input. Of course this could still happen accidently or by the QRs content finding some vulnerability.
At the end of the day, I think QR scanning in the camera is the obvious solution to non-hacker-news-browsing-people, and to make it go mainstream it needs to be accessible.
In spite of the above, I still agree with you, and use a barcode scanner from f-droid myself.
I've been using a shell alias to call `qrencode` with the appropriate details for a few years now.
It was my understanding that the android security model doesn't allow this - specifically the settings permission let's you connect to a new network, but not to get the password back for an already saved network.
I think it came in roughly 9 though.
bndw: looks like some characters need escaping: backslash, semicolon, comma and colon. Maybe more too, given the treatment of double quotes in that last link (I’ve filed https://github.com/zxing/zxing/issues/1292 about that inconsistency).
I see this failure mode in React apps a lot, where a bug causes an exception to be thrown, and the page just vanishes in a puff of smoke, as though it never was.
Half the time I’ve seen this failure mode it’s also been combined with persisting the bad value, so that the site is permanently broken until you can unpersist the value (e.g. clear localStorage or IndexedDB or cookie; but if the bad value is stored on a server you’re truly stuck).
The impression I’ve taken away is that it’s entirely unacceptable for a React component to throw an exception, because it will immediately destroy everything. Wonder how common such failures actually are, and whether there’s anything React itself could do about it (my guess is not).
https://serverfault.com/questions/45439/what-is-the-maximum-...
You may say it’s a fairly contrived failure, but it’s easily possible, and plausible if the user thinks they copied the password onto the clipboard, but actually those paragraphs of text they copied earlier are still on the clipboard. That sort of thing happens to people that use the clipboard (e.g. me) not uncommonly.
I'm glad it's sparked your curiosity but I hope you'll understand the intent. I'd be happy to accept PR's if you'd like to contribute!
It's like bragging that you can inspect element to change your bank balance.
https://9to5mac.com/2018/05/16/how-to-qr-codes-ios-11-iphone...
The shortcut is just regex match the base station, password and security from the text 1Password shares, then format it as WIFI:S:<ssid>;T:<security>;P:<password>;; and then pipe that to the Generate QR code action.
Imagine if this was a web-based password strength meter.
Without a WiFi password these versions communicate in plaintext, so a passive adversary can snoop everything, choosing a password switches on encryption and thus protects against passive eavesdroppers.
Only in WPA3 do networks with no password get encryption to protect you from passive eavesdroppers.
Obviously an active MitM can work regardless, but that's trickier to attempt and unavoidably subject to detection.
If you "care about security" in the sense of not wanting random people to connect then you should not use "Personal mode" which is garbage in all versions of WPA because it relies on a shared human memorable password and (say it after me) human memorable passwords are garbage.
Use whichever of the terrible 802.1x alternatives best fits your scenario, as these authenticate specific users rather than relying on a single shared password. You can federate to allow large groups of people with something in common to all use all the networks in the federation. For students (and academic staff) most tertiary education sites in the world now offer Eduroam for example.
Or, give it all up as a bad job, and (with the caveat at the top about preventing passive eavesdropping) just stop trying to fence off your network and accept that it's the Internet and you'll need a BeyondCorp / Zero Trust security model.
The point of QR for this is to be able to actually share that high entropy 63 character string so you don't have to use a "human memorable password".
I dunno, the comment clearly says you shouldn't be putting wifi network passwords into websites, not passwords in general.
> They weren't commenting on the need to put passwords on wifi networks.
The thesis of the reply was "it makes sense to have a WiFi password even if it isn't secret". That's directly about whether it's okay to put a wifi password into a website.
https://github.com/fukuchi/libqrencode
Edit: some users already commented in another thread about pacakges that can do it instead.
I'm not sure how useful it would be beyond the cool factor, of course … the cafés in my area don't seem to change their wifi passwords often at all, so I assume they're not very concerned about leeching. The typical practice of printing it on a receipt or writing it on the board next to the soup-of-the-day is probably hard to beat.
They’re definitely not perfect though and you find some truly annoying configurations when you’re out in the world of public WiFi but for the most part it works.
Presumably the camera app recognizes “WIFI:” as a protocol string and passes the details along to the system settings.
Also found qifi.org that does a similar thing.
https://developer.apple.com/documentation/uikit/inter-proces...
The WifiConfigStore stores its config into a wpa_supplicant compatible file. The file is then passed to the wpa_supplicant service, which is also present on other Linux distros like the GNU/Linux ones, although here the config file is built by a dedicated NetworkManager service (also, some intel folks are building a replacement IIRC). wpa_supplicant is a privileged service that talks to the WiFi card drivers.
[0]: https://github.com/zxing/zxing/blob/0cf3b9be71680f50c90a71ca...
[1]: https://github.com/zxing/zxing/blob/0b9b39a74fb3d7b010fb2979...
[2]: https://developer.android.com/reference/android/net/wifi/Wif...
[3]: https://android.googlesource.com/platform/frameworks/base/+/...
[4]: https://android.googlesource.com/platform/frameworks/opt/net...
[5]: https://android.googlesource.com/platform/frameworks/base/+/...
[6]: https://android.googlesource.com/platform/frameworks/opt/net...
Edit: perhaps I should clarify that that's my network's name. In the qr code reader it shows up as ¯_(ツ)_/¯ and it's stored in wpa_supplicant.conf as c2af5f28e38384295f2fc2af (indeed missing the backslash).
Edit: Thank you to those who replied!
qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"
brew install qrencode
Be a decent solution for a business that wants to offer guest wifi with a little less risk of abuse.
Someone suggested it on the 1Password forums [1] and one of their employees said it it was a great idea and would pass it to the development team, but that was in September, 2017, so apparently it didn't go anywhere.
About 18 months ago, someone suggested it on /r/1password [2], and again someone from 1Password liked it and said they would pass it on to the devs.
[1] https://discussions.agilebits.com/discussion/82070/feature-r...
[2] https://www.reddit.com/r/1Password/comments/a1udg2/feature_r...
https://routinehub.co/shortcut/5451
Emoji SSID just kind of works in most cases, because an encoding was never specified for that string, afaik.
TL;DR: I shoot myself in the foot for entertainment.
So as hex, you would need to try both of these for your ssid: U+1F4A9 or F0 9F 92 A9
Unfortunately, encoding to UTF-8 and setting a BOM won't guarantee this will work for you, because most QR decoders actually use heuristics to guess the encoding of the text.
You can make it behave a little better by setting ECI (to specify the encoding) when creating your QR code, but even though that was introduced in 2000, most QR decoders don't have ECI implemented.
Your best bet is to try UTF-8 encoding of the emoji first, and then fallback to the unicode representation.
[1] http://niftypdf.com/Barcoder/QRCoder [2] http://niftypdf.com/Barcoder/API
https://f-droid.org/app/com.google.zxing.client.android
https://www.qr-code-generator.com/
(not trying to advertise the site, just saying it wasn't worth my time to reinvent something)