QR codes, uses and security of

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Ralph

Well-known member
Sep 24, 2020
235
100
I've been using a small printout with the passwords of some sites I visit a lot. The list uses a few methods to make it useless should anyone find it. Recently I added QR codes of the entries on the back of the list which caused me to try a number of QR code readers. I created the QR codes using a Windows program called "Codex". There are also IOS and Android versions. What I liked about Codex was it can read a QR optically, from a file, or directly off the monitor from a built in screen-shot.

I now have Codex installed on Windows, IOS, and Android devices. I do have some reservations about it's security although I haven't found any reason to distrust it yet. Since my QR passwords are useless as is I wasn't overly worried. While trying a number of other QR code readers and generators for IOS I made an interesting discovery. I used a QR code with the public key of a cryptocurrency with only a few dollars in it. To my surprise a couple QR apps from the Apple store that I tried read the QR code, and almost instantly started advertising cryptocurrency apps! That made it obvious that the apps were not only reading my QR code but checking it's contents, and probably sending them elsewhere. Needless to say those apps got deleted. Interestingly none of the Android apps I tried 'called home', at least not obviously.

From what I saw many apps should not be trusted with QR codes that have 'valuable' contents. I still need to investigate open source software. I should have started there when it comes to security, but at least I learned something for not.

Is anyone using an app for QR codes that they have reason to trust, or has any useful features?
 
I've had good luck features wise with QR Droid on Android. I don't have any specific reason to believe it's phoning home but couldn't say for sure. Note that these apps will normally keep a history of the codes you scan. You may be able to turn that off. I actually use it as a backup of the 2FA codes that I scan for my Google Authenticator setup's. That way, if I have to set up Google Authenticator on a different device, I can display the QR code on another device from the history and set up the new device. If my device were stolen, I'd have to change all my 2FA setup's on all sites. However, even if I wasn't storing QR code histories, I've noted that anyone with the phone or tablet can run Google Authenticator and get current 2FA codes if they can get past the unlock screen or if the device is already unlocked.

Not directly related to QR codes, but I use WinAuth to store my 2FA codes on Windows. It's hard to know whether to trust free software like this, but this apparently trustworthy site recommends it:


And, according to that same page, here is the website for WinAuth:


You may wish to Google or DuckDuckGo more recommendations for WinAuth before using it, but it works for me.

Back to the QR code topic. You may be able to go into the settings for your QR code app and check privacy and security and make it less chatty. It's always a good idea to check the settings for any app you install.

Ron
 
any useful features
Why go through all this trouble? If you already have a system that will allow you to not worry about someone seeing it and knowing your password, all you want is a synced "notepad" type thing. You could use any password manager as well... there is no reason why you need to put your actual password in. LastPass has a secure note feature, you could simply use one [long] secure note.
 
Not to derail the thread, but I've been using Lastpass ever since @Steve introduced us to it so many years ago. I still am, even though they're getting more expensive. @Steve and Leo have been advocating some other different programs recently on the SN podcast. I'm going to look those up should I need to change. This thread has a long discussion / debate on the issue.


But, like @PHolder said, I don't enter passwords into things, other than my master password for Lastpass. If LogMeIn (owner of Lastpass) goes up in smoke, I might have a problem. I wouldn't use one long secure note in Lastpass. Create a database entry for each website then you can fill, autofill, auto login, depending on how you have the settings. I prohibit autofill and auto login and manually activate the site entries when I want to login.

Ron
 
Codex does keep a history of scanned codes. It allows you to clear the history but I have not found a way to disable it.

What I should have mentioned was I also use QR codes for the public keys of cryptocurrencies. While the public keys cannot be used to access your funds, on all but a few coins they can be used to trace the movement and amount of funds. Thinking about this further, my answer may be to scramble the keys similar to my passwords and create new QRs from those. I don't know why that didn't occur to me sooner.

What I have never used is a password manager. When I have the time I will have to read through the password manager threads. I have always liked to keep control of certain information 'in my own hands' so to say, but understand the value of multiple 'off site' backups.

One use of QR codes I thought of is using them as a radio-less key for a door lock or alarm system. The QR code can hold quite a bit of data which makes brute forcing difficult. I haven't searched online but I would not be surprised if there are similar projects already out there. I was thinking a low power Raspberry Pi like an A1+ with battery backup. Mounted on the back of a door it can detect motion or vibration with the correct sensors and can double as an alarm for that door.
 
Think of QR Code simply as a modern update to the Bar Code tech; just more bit capacity in a tighter space and enhanced readibilitty.