QR codes, uses and security of

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Ralph

Member
Sep 24, 2020
18
3
I've been using a small printout with the passwords of some sites I visit a lot. The list uses a few methods to make it useless should anyone find it. Recently I added QR codes of the entries on the back of the list which caused me to try a number of QR code readers. I created the QR codes using a Windows program called "Codex". There are also IOS and Android versions. What I liked about Codex was it can read a QR optically, from a file, or directly off the monitor from a built in screen-shot.

I now have Codex installed on Windows, IOS, and Android devices. I do have some reservations about it's security although I haven't found any reason to distrust it yet. Since my QR passwords are useless as is I wasn't overly worried. While trying a number of other QR code readers and generators for IOS I made an interesting discovery. I used a QR code with the public key of a cryptocurrency with only a few dollars in it. To my surprise a couple QR apps from the Apple store that I tried read the QR code, and almost instantly started advertising cryptocurrency apps! That made it obvious that the apps were not only reading my QR code but checking it's contents, and probably sending them elsewhere. Needless to say those apps got deleted. Interestingly none of the Android apps I tried 'called home', at least not obviously.

From what I saw many apps should not be trusted with QR codes that have 'valuable' contents. I still need to investigate open source software. I should have started there when it comes to security, but at least I learned something for not.

Is anyone using an app for QR codes that they have reason to trust, or has any useful features?
 

rfrazier

Well-known member
Sep 30, 2020
300
94
I've had good luck features wise with QR Droid on Android. I don't have any specific reason to believe it's phoning home but couldn't say for sure. Note that these apps will normally keep a history of the codes you scan. You may be able to turn that off. I actually use it as a backup of the 2FA codes that I scan for my Google Authenticator setup's. That way, if I have to set up Google Authenticator on a different device, I can display the QR code on another device from the history and set up the new device. If my device were stolen, I'd have to change all my 2FA setup's on all sites. However, even if I wasn't storing QR code histories, I've noted that anyone with the phone or tablet can run Google Authenticator and get current 2FA codes if they can get past the unlock screen or if the device is already unlocked.

Not directly related to QR codes, but I use WinAuth to store my 2FA codes on Windows. It's hard to know whether to trust free software like this, but this apparently trustworthy site recommends it:


And, according to that same page, here is the website for WinAuth:


You may wish to Google or DuckDuckGo more recommendations for WinAuth before using it, but it works for me.

Back to the QR code topic. You may be able to go into the settings for your QR code app and check privacy and security and make it less chatty. It's always a good idea to check the settings for any app you install.

Ron
 

PHolder

Well-known member
Sep 16, 2020
710
2
352
Ontario, Canada
any useful features
Why go through all this trouble? If you already have a system that will allow you to not worry about someone seeing it and knowing your password, all you want is a synced "notepad" type thing. You could use any password manager as well... there is no reason why you need to put your actual password in. LastPass has a secure note feature, you could simply use one [long] secure note.
 

rfrazier

Well-known member
Sep 30, 2020
300
94
Not to derail the thread, but I've been using Lastpass ever since @Steve introduced us to it so many years ago. I still am, even though they're getting more expensive. @Steve and Leo have been advocating some other different programs recently on the SN podcast. I'm going to look those up should I need to change. This thread has a long discussion / debate on the issue.


But, like @PHolder said, I don't enter passwords into things, other than my master password for Lastpass. If LogMeIn (owner of Lastpass) goes up in smoke, I might have a problem. I wouldn't use one long secure note in Lastpass. Create a database entry for each website then you can fill, autofill, auto login, depending on how you have the settings. I prohibit autofill and auto login and manually activate the site entries when I want to login.

Ron
 

Ralph

Member
Sep 24, 2020
18
3
Codex does keep a history of scanned codes. It allows you to clear the history but I have not found a way to disable it.

What I should have mentioned was I also use QR codes for the public keys of cryptocurrencies. While the public keys cannot be used to access your funds, on all but a few coins they can be used to trace the movement and amount of funds. Thinking about this further, my answer may be to scramble the keys similar to my passwords and create new QRs from those. I don't know why that didn't occur to me sooner.

What I have never used is a password manager. When I have the time I will have to read through the password manager threads. I have always liked to keep control of certain information 'in my own hands' so to say, but understand the value of multiple 'off site' backups.

One use of QR codes I thought of is using them as a radio-less key for a door lock or alarm system. The QR code can hold quite a bit of data which makes brute forcing difficult. I haven't searched online but I would not be surprised if there are similar projects already out there. I was thinking a low power Raspberry Pi like an A1+ with battery backup. Mounted on the back of a door it can detect motion or vibration with the correct sensors and can double as an alarm for that door.
 

Intuit

Well-known member
Dec 27, 2020
75
19
Think of QR Code simply as a modern update to the Bar Code tech; just more bit capacity in a tighter space and enhanced readibilitty.