Encoding your WiFi access point password into a QR code

Up until recently, it was a pain to defend againt WPA2 brute-force attacks by using a random 63-character password (the maximum in WPA-Personal) mode). Thanks to Android 10 and iOS 11 supporting reading WiFi passwords from a QR code, this is finally a practical defense.

Generating the QR code

After installing the qrencode package, run the following:

qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"

substituting <SSID> for the name of your WiFi network and <PASSWORD> for the 63-character password you hopefully generated with pwgen -s 63.

If your password includes a semicolon, then escape it like this:

"WIFI:T:WPA;S:<SSID>;P:pass\:word;;"

since iOS won't support the following (which works fine on Android):

'WIFI:T:WPA;S:<SSID>;P:"pass:word";;'

The only other pitfall I ran into is that if you include a trailing newline character (for example piping echo "..." into qrencode as opposed to echo -n "...") then it will fail on both iOS and Android.

Scanning the QR code

On iOS, simply open the camera app and scan the QR code to bring up a notification which allows you to connect to the WiFi network:

On Android, go into the WiFi settings and tap on the WiFi network you want to join:

then click the QR icon in the password field and scan the code:

In-browser alternative

If you can't do this locally for some reason, there is also an in-browser QR code generator with source code available.

RSS Atom

Script it

SSID=SSID_GOES_HERE
pwgen -s 63 > 00wifi.txt
qrencode -o 00wifi.png "WIFI:T:WPA;S:${SSID};P:$(cat 00wifi.txt);;"

Comment by Anonyme — Sun Dec 29 01:18:22 2019

63 characters?

Neither my current mobile device (GPD Pocket running Debian bullseye), nor my future one, the Pyra (there is still some hope), feature a camera. With a password of 63 characters, I hope to type everything correctly! :-)

Comment by Martin — Mon Dec 30 04:58:46 2019

@Martin

If you're using a phone without a camera then there's no point in using a QR code anyway, is it?

Comment by RobIII — Mon Dec 30 07:22:57 2019

WiFi QR Code

Hi, is it possible to include proxy configuration in QR Code?

Comment by Hubert — Sun Feb 20 07:34:16 2022

QR CODE WiFi format

Wi-Fi Network config (Android, iOS 11+)

WIFI:T:WPA;S:mynetwork;P:mypass;;

Paramater	Example	Description
T	WPA	Authentication type; can be WEP or WPA or WPA2-EAP, or nopass for no password. Or, omit for no password.
S	mynetwork	Network SSID. Required. Enclose in double quotes if it is an ASCII name, but could be interpreted as hex (i.e. "ABCD")
P	mypass	Password, ignored if T is nopass (in which case it may be omitted). Enclose in double quotes if it is an ASCII name, but could be interpreted as hex (i.e. "ABCD")
H	true	Optional. True if the network SSID is hidden. Note this was mistakenly also used to specify phase 2 method in releases up to 4.7.8 / Barcode Scanner 3.4.0. If not a boolean, it will be interpreted as phase 2 method (see below) for backwards-compatibility
E	TTLS	(WPA2-EAP only) EAP method, like TTLS or PWD
A	anon	(WPA2-EAP only) Anonymous identity
I	myidentity	(WPA2-EAP only) Identity
PH2	MSCHAPV2	(WPA2-EAP only) Phase 2 method, like MSCHAPV2

Order of fields does not matter. Special characters \, ;, ,, " and : should be escaped with a backslash (). For example, if an SSID was literally "foo;bar\baz" (with double quotes part of the SSID name itself) then it would be encoded like: WIFI:S:\"foo\;bar\baz\";;

Comment by Mike — Thu Sep 1 05:56:18 2022

Add a comment