Encoding your WiFi access point password into a QR code

Up until recently, it was a pain to defend againt WPA2 brute-force attacks by using a random 63-character password (the maximum in WPA-Personal) mode). Thanks to Android 10 and iOS 11 supporting reading WiFi passwords from a QR code, this is finally a practical defense.

Generating the QR code

After installing the qrencode package, run the following:

qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"

substituting <SSID> for the name of your WiFi network and <PASSWORD> for the 63-character password you hopefully generated with pwgen -s 63.

If your password includes a semicolon, then escape it like this:

"WIFI:T:WPA;S:<SSID>;P:pass\:word;;"

since iOS won't support the following (which works fine on Android):

'WIFI:T:WPA;S:<SSID>;P:"pass:word";;'

The only other pitfall I ran into is that if you include a trailing newline character (for example piping echo "..." into qrencode as opposed to echo -n "...") then it will fail on both iOS and Android.

The full syntax for these WiFi QR codes can be found on the zxing wiki.

Scanning the QR code

On iOS, simply open the camera app and scan the QR code to bring up a notification which allows you to connect to the WiFi network:

On Android, go into the WiFi settings and tap on the WiFi network you want to join:

then click the QR icon in the password field and scan the code:

In-browser alternative

If you can't do this locally for some reason, there is also an in-browser QR code generator with source code available.

RSS Atom

Script it

SSID=SSID_GOES_HERE
pwgen -s 63 > 00wifi.txt
qrencode -o 00wifi.png "WIFI:T:WPA;S:${SSID};P:$(cat 00wifi.txt);;"

Comment by Anonyme — Sun Dec 29 01:18:22 2019

63 characters?

Neither my current mobile device (GPD Pocket running Debian bullseye), nor my future one, the Pyra (there is still some hope), feature a camera. With a password of 63 characters, I hope to type everything correctly! :-)

Comment by Martin — Mon Dec 30 04:58:46 2019

@Martin

If you're using a phone without a camera then there's no point in using a QR code anyway, is it?

Comment by RobIII — Mon Dec 30 07:22:57 2019

WiFi QR Code

Hi, is it possible to include proxy configuration in QR Code?

Comment by Hubert — Sun Feb 20 07:34:16 2022

QR CODE WiFi format

Wi-Fi Network config (Android, iOS 11+)

WIFI:T:WPA;S:mynetwork;P:mypass;;

Paramater	Example	Description
T	WPA	Authentication type; can be WEP or WPA or WPA2-EAP, or nopass for no password. Or, omit for no password.
S	mynetwork	Network SSID. Required. Enclose in double quotes if it is an ASCII name, but could be interpreted as hex (i.e. "ABCD")
P	mypass	Password, ignored if T is nopass (in which case it may be omitted). Enclose in double quotes if it is an ASCII name, but could be interpreted as hex (i.e. "ABCD")
H	true	Optional. True if the network SSID is hidden. Note this was mistakenly also used to specify phase 2 method in releases up to 4.7.8 / Barcode Scanner 3.4.0. If not a boolean, it will be interpreted as phase 2 method (see below) for backwards-compatibility
E	TTLS	(WPA2-EAP only) EAP method, like TTLS or PWD
A	anon	(WPA2-EAP only) Anonymous identity
I	myidentity	(WPA2-EAP only) Identity
PH2	MSCHAPV2	(WPA2-EAP only) Phase 2 method, like MSCHAPV2

Order of fields does not matter. Special characters \, ;, ,, " and : should be escaped with a backslash (). For example, if an SSID was literally "foo;bar\baz" (with double quotes part of the SSID name itself) then it would be encoded like: WIFI:S:\"foo\;bar\baz\";;

Comment by Mike — Thu Sep 1 05:56:18 2022

Add a comment