[HN Gopher] Show HN: Print a WiFi Login Card ___________________________________________________________________ Show HN: Print a WiFi Login Card Author : bndw Score : 160 points Date : 2020-05-31 16:34 UTC (6 hours ago) (HTM) web link (wifi.dev.bdw.to) (TXT) w3m dump (wifi.dev.bdw.to) | mrtweetyhack wrote: | Yes, print all your passwords and your social security number too | dheera wrote: | Might be a dumb question but how do you scan a QR code like this | on Android without a 3rd party app? The only way I've ever known | to scan QR codes is by scanning from within WeChat. | lwhsiao wrote: | Support for this is built in to the stock camera app for | Android 10. | toomuchtodo wrote: | Lovely! Is it possible to inject SSID and passphrase parameters | as env vars into the Docker container and have a png or pdf | render without the web interface? | | Edit: Thank you to those who replied! | jasonjayr wrote: | qrencode is in debian/ubuntu | (https://fukuchi.org/works/qrencode/) | qrencode -t ansiutf8 'WIFI:T:WPA;S:{ssid};P:{password};;' | | No docker required ... | toomuchtodo wrote: | I'm on a Mac, so I would need Docker if the tool wasn't built | for Mac (only Linux). | dewey wrote: | No, you can just install it via Homebrew. | | brew install qrencode | toomuchtodo wrote: | Good to know! Thank you! | davb wrote: | You can generate QR codes using qrencode (available in most | distros package repos), as follows: | | qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;" | groundpepper wrote: | This is incredibly useful, I didn't know our phones had this | feature. | wiml wrote: | An idea that's been kicking around in my head is a widget with an | e-ink display for hackerspaces, cafes, and other multi-user | spaces that displays the a password-of-the-day along with a | qrcode for easy login. Heck, include an NFC chip that hands out | application/vnd.wfa.wsc objects as well. | | I'm not sure how useful it would be beyond the cool factor, of | course ... the cafes in my area don't seem to change their wifi | passwords often at all, so I assume they're not very concerned | about leeching. The typical practice of printing it on a receipt | or writing it on the board next to the soup-of-the-day is | probably hard to beat. | bronco21016 wrote: | Typically you'd just use a captive portal with sessions that | time out. That's sufficient to keep away all but the most | determined leechers. | pathseeker wrote: | Unfortunately they are really annoying to use. | bronco21016 wrote: | I'd much rather use a captive portal than hunt for the 4" | e-ink device hiding in a place of business. | | They're definitely not perfect though and you find some | truly annoying configurations when you're out in the world | of public WiFi but for the most part it works. | dvtrn wrote: | What have been your frustrations with them? I've found them | dead easy to setup and implement | pathseeker wrote: | Woah, do not get into the habit of putting your wifi network | password into a website if you care about security. This | particular site might or might not collect it now but it's a | terrible habit to put your sensitive data into another site. | | Imagine if this was a web-based password strength meter. | tialaramex wrote: | In WPA2 and earlier it makes sense to have a WiFi password even | if it isn't secret from anyone. | | Without a WiFi password these versions communicate in | plaintext, so a passive adversary can snoop everything, | choosing a password switches on encryption and thus protects | against passive eavesdroppers. | | Only in WPA3 do networks with no password get encryption to | protect you from passive eavesdroppers. | | Obviously an active MitM can work regardless, but that's | trickier to attempt and unavoidably subject to detection. | | If you "care about security" in the sense of not wanting random | people to connect then you should not use "Personal mode" which | is garbage in all versions of WPA because it relies on a shared | human memorable password and (say it after me) human memorable | passwords are garbage. | | Use whichever of the terrible 802.1x alternatives best fits | your scenario, as these authenticate specific users rather than | relying on a single shared password. You can federate to allow | large groups of people with something in common to all use all | the networks in the federation. For students (and academic | staff) most tertiary education sites in the world now offer | Eduroam for example. | | Or, give it all up as a bad job, and (with the caveat at the | top about preventing passive eavesdropping) just stop trying to | fence off your network and accept that it's the Internet and | you'll need a BeyondCorp / Zero Trust security model. | unethical_ban wrote: | I think the OP was saying that it is not a good thing to | encourage people inputting their personal passwords to | untrusted websites. They weren't commenting on the need to | put passwords on wifi networks. | [deleted] | seesawtron wrote: | True. How else would one implement this as a workaround for | security? Perhaps a locally running version of the same thing | that hopefully doesn't upload the data back to some server? | | Edit: some users already commented in another thread about | pacakges that can do it instead. | CapriciousCptl wrote: | Neat. You can find more supported QR codes for iOS here-- | https://developer.apple.com/videos/play/tech-talks/206/ (I | couldn't find docs but you can skip around the video, starts at | 1:11). | Flimm wrote: | Nice! I didn't realise that iOS supports QR codes out of the | box now. | rhinoceraptor wrote: | You can also generate them via Siri Shortcuts now, I wrote a | simple shortcut that's shown on the share sheet, so I can | share WiFi credentials from 1Password via QR code. | | The shortcut is just regex match the base station, password | and security from the text 1Password shares, then format it | as WIFI:S:<ssid>;T:<security>;P:<password>;; and then pipe | that to the Generate QR code action. | wise_young_man wrote: | They added support built into the camera app starting with | iOS 11 (released in 2018). | | https://9to5mac.com/2018/05/16/how-to-qr-codes- | ios-11-iphone... | Flimm wrote: | Do all Android and iOS devices support this feature? | ken wrote: | iOS since 11.0 (2017, >98% of iOS users today): | https://en.wikipedia.org/wiki/IOS_11#Other_changes | lucb1e wrote: | I don't know what version it was introduced, but this has been | around for quite a while and doesn't rely on proprietary google | services or anything, so I expect all phones have it (though | maybe your QR code reader needs to support the format). | chrismorgan wrote: | Another fun bug report: I entered _lots_ of input, and the page | suddenly went blank. In the console: Error: code | length overflow. (28252>23648) | | So yeah, seems like all you have to do is paste 24KB of data in | and it blows up. :) | | I see this failure mode in React apps a _lot_ , where a bug | causes an exception to be thrown, and the page just vanishes in a | puff of smoke, as though it never was. | | Half the time I've seen this failure mode it's also been combined | with _persisting the bad value_ , so that the site is permanently | broken until you can unpersist the value (e.g. clear localStorage | or IndexedDB or cookie; but if the bad value is stored on a | server you're truly stuck). | | The impression I've taken away is that it's entirely unacceptable | for a React component to throw an exception, because it will | immediately destroy _everything_. Wonder how common such failures | actually are, and whether there's anything React itself could do | about it (my guess is not). | bndw wrote: | Thanks, fixed. TIL ssids have a max char count of 32: | | https://serverfault.com/questions/45439/what-is-the-maximum-... | chrismorgan wrote: | FYI, maxlength is actually not enough to protect against | people like me that are determined to break things for fun: | Firefox 77 starts letting you exceed maxlength if pasting | text in, to protect against accidental truncation. See | https://www.fxsitecompat.dev/en-CA/docs/2020/text- | exceeding-.... | | You may say it's a fairly contrived failure, but it's easily | possible, and plausible if the user _thinks_ they copied the | password onto the clipboard, but actually those paragraphs of | text they copied earlier are still on the clipboard. That | sort of thing happens to people that use the clipboard (e.g. | me) not uncommonly. | bndw wrote: | All good. This was a random weekend hack project meant to | solve a specific, personal need. Figured I'd share it out | in case others were interested. | | I'm glad it's sparked your curiosity but I hope you'll | understand the intent. I'd be happy to accept PR's if you'd | like to contribute! | Shakahs wrote: | This is what React error boundaries are for, containing the | exception and optionally showing a fallback or error. | paddlesteamer wrote: | I like how it ignores WEP. Don't use WEP. | encom wrote: | I've tried to use these before, but since my SSID is [the poop | emoji] (which i've just learned is verboten on HN) and the | password is 64 characters of hex, I've never gotten it to work, | and have exposed bugs in lots of shitty wifi hardware and | software. 64 char hex is what a regular 8-63 char password is | hashed to for encryption. Specifying it directly as 64 char hex | is in spec, and should be supported in software or hardware | that's made properly. | | Emoji SSID just kind of works in most cases, because an encoding | was never specified for that string, afaik. | | TL;DR: I shoot myself in the foot for entertainment. | srhngpr wrote: | Recently came across a QR Coder [1] that can generate for a | variety of different purposes, including Wifi (e.g., Bookmarks, | Email, Contact, GeoLocation, SMS, URL link, etc.) - the same | website also has a encoder/decoder and an API [2], but I've not | tried those features. | | [1] http://niftypdf.com/Barcoder/QRCoder [2] | http://niftypdf.com/Barcoder/API | chrismorgan wrote: | Per https://github.com/bndw/wifi- | card/blob/5d7fbbda1e8eac5802c8d..., the QR code text is of this | form: WIFI:T:WPA;S:{ssid};P:{password};; | | https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-n... | seems to be where this format came from. (That page describes | various other forms of QR codes too.) | | bndw: looks like some characters need escaping: backslash, | semicolon, comma and colon. Maybe more too, given the treatment | of double quotes in that last link (I've filed | https://github.com/zxing/zxing/issues/1292 about that | inconsistency). | seesawtron wrote: | Can someone give a short explaination as to how it works in the | backend? The QR code contains username and password. But how does | my phone's QR scanner know that its an SSID/pw and eventually | connects to the network? | macintux wrote: | See this comment: https://news.ycombinator.com/item?id=23371188 | | Presumably the camera app recognizes "WIFI:" as a protocol | string and passes the details along to the system settings. | seesawtron wrote: | Yes I saw, that is what the QR code contains (username and | password of the WIFI). But I do not understand what my phone | does when it sees that. There are tons of dubmbed-down | articles on "how-to" instructions but none explaining the | backend stuff happening on my phone's side. | | Also found qifi.org that does a similar thing. | est31 wrote: | The Zxing barcode scanner app does it this way: This [0] is | the dispatch code. If it detects WIFI as type, it passes it | to a WifiConfigManager [1] which then talks to Android's | WifiManager API. On the back end, the addOrUpdateNetwork | function of WifiManager [3] calls the method with the same | name of IWifiManager [4]. That class has a channel to a | WifiStateMachine [5] which sends a message with the command | CMD_ADD_OR_UPDATE_NETWORK. It's handled in the same file | (but I suppose it's in a different process, now a | privileged system process), and calls the | addOrUpdateNetwork function of WifiConfigStore [6]. | | The WifiConfigStore stores its config into a wpa_supplicant | compatible file. The file is then passed to the | wpa_supplicant service, which is also present on other | Linux distros like the GNU/Linux ones, although here the | config file is built by a dedicated NetworkManager service | (also, some intel folks are building a replacement IIRC). | wpa_supplicant is a privileged service that talks to the | WiFi card drivers. | | [0]: https://github.com/zxing/zxing/blob/0cf3b9be71680f50c9 | 0a71ca... | | [1]: https://github.com/zxing/zxing/blob/0b9b39a74fb3d7b010 | fb2979... | | [2]: https://developer.android.com/reference/android/net/wi | fi/Wif... | | [3]: https://android.googlesource.com/platform/frameworks/b | ase/+/... | | [4]: https://android.googlesource.com/platform/frameworks/o | pt/net... | | [5]: https://android.googlesource.com/platform/frameworks/b | ase/+/... | | [6]: https://android.googlesource.com/platform/frameworks/o | pt/net... | daveevad wrote: | it sounds to me like it's a custom url scheme built into | ios. | | https://developer.apple.com/documentation/uikit/inter- | proces... | kevin_thibedeau wrote: | It's vCard, not URL. | castratikron wrote: | Maybe someone will sell wifi routers with cute little LCD screens | in them that show this QR code? | graton wrote: | I just did this the other day using the newest version (6.4.4) of | LibreOffice Writer. It has a QR Code generator built in. | | As mentioned by someone else it uses the form of: | WIFI:T:WPA;S:{ssid};P:{password};; | | Wikipedia has information on this | https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F... | | Section of the Wikipedia article: | | _Joining a Wi-Fi network_ | | By specifying the SSID, encryption type, password/passphrase, and | if the SSID is hidden or not, mobile device users can quickly | scan and join networks without having to manually enter the data. | Note that this technique is valid for specifying only static SSID | passwords (i.e. PSK); dynamic user credentials (i.e. | Enterprise/802.1x) cannot be encoded in this manner. | | The format of the encoded string is: | WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;H:<true|false|>; | | Order of fields does not matter. Special characters """ | (quotation mark), ";" (semicolon), "," (comma), ":" (colon) and | "\" (backslash) should be escaped with a backslash ("\") as in | MECARD encoding. For example, if an SSID were "foo;bar\baz", with | quotation marks part of the literal SSID name itself, this would | be encoded as: WIFI:S:\"foo\;bar\\\baz\";; | | As of January 2018, iPhones have this feature built into the | camera app under iOS 11.x. Android users may have the feature | built into one of the device's stock apps (e.g. Samsung Galaxy | S8/S8+/Note8 users can launch the stock browser, tap the | browser's 3-dot menu, then choose "Scan QR code") or can install | one of several available free apps such as "Barcode Scanner" or | "QR Droid" to perform the QR Wi-Fi join. | ShamelessC wrote: | Typical Samsung, putting the feature inside their stock browser | (which I've disabled) instead of the camera where it makes | sense. | Stratoscope wrote: | On my Note 8 this feature works directly in the stock camera | app. I didn't know about this, but I just tested it on the | linked site and it works. | ShamelessC wrote: | That's strange. I just tried it on my Note 9. It recognizes | the QR code but just displays the unformatted WiFi string. | Doesn't attempt to connect at all. | Stratoscope wrote: | Very odd! I tested a friend's Note 9 and it works there | too. Both phones are on T-Mobile with their latest | Android update. | | The Note 9 is Android 10, One UI 2.0, build | QP1A.190711.020.N960USQS3DTB2. | | The Note 8 is Android 9, One UI 1.0, build | PPR1.180610.011.N950USQU7DTC1. | anaisbetts wrote: | The QR code that it initially displays is invalid, type | any text into the SSID/pass fields and it will work | superhuzza wrote: | I have an S8, the camera reads QR codes fine. It looks like | you may have to enable a setting the first time you read a QR | code, after that it will do automatically and ask if you want | to follow the link. | | https://www.samsung.com/au/support/mobile-devices/samsung- | qr... | BiteCode_dev wrote: | Also, android will display such QR code if you go to your wifi | settings so you can connect other devices easily. | londons_explore wrote: | What android version? | | It was my understanding that the android security model | doesn't allow this - specifically the settings permission | let's you connect to a new network, but not to get the | password back for an already saved network. | BiteCode_dev wrote: | Whatever is currently on the OnePlus 6 does it. | dudus wrote: | At last my Pixel 3a have that option. On the network | settings you can click "share" and it will give you a qr | code as well as show the password in cleartext in the | screen. It does require you to enter your password or scan | your digital to go there. | wazzaps wrote: | My Pocophone F1 has a button to generate a QR code from a | network in the settings app, I guess they added a special | permission for it. | thephyber wrote: | Neat. I investigated doing something like this a few weeks ago, | but it turned out there's a site that has a variety of QR code | tools: | | https://www.qr-code-generator.com/ | | (not trying to advertise the site, just saying it wasn't worth my | time to reinvent something) | lucb1e wrote: | I like the interface and that it doesn't need a server to | generate the QR image, but it doesn't work for my network | -\\_(tsu)_/- | | Edit: perhaps I should clarify that that's my network's name. In | the qr code reader it shows up as -_(tsu)_/- and it's stored in | wpa_supplicant.conf as c2af5f28e38384295f2fc2af (indeed missing | the backslash). | chrismorgan wrote: | Hah, I noticed the lack of escaping when skimming the code (see | my comment--workaround until fixed will be for you to double | the backslash yourself) but didn't expect it to actually | _affect_ anyone. Don't think I've never seen a backslash, | semicolon, comma or colon in an SSID. Or non-ASCII! | lucb1e wrote: | Since finding out SSIDs are not limited to 7-bit ASCII or | something, my networks have never been the same. | chrismorgan wrote: | Hmm, but it looks like under WPA-Personal keys _are_ still | limited to printable ASCII? | [deleted] ___________________________________________________________________ (page generated 2020-05-31 23:01 UTC)