Long term preservation for passwords via QR Codes

Apr 7, 2021 14:25 ยท 378 words ยท 2 minute read

QRCode are a quick and easy way to store sensitive information on paper, such as passwords or crypto keys. In this short guide we’ll see how to use QRCodes to store and restore textual information.

Requirements ๐Ÿ”—

For generating the QR Code we will need QREncode . This nice library comes with a CLI executable simple and easy to use. It should be availabe for most Linux distribution and MacOS, and there exist a port for Windows. This guide was tested with version 4.1.1.

To decode QR Code we can use zbar , a cross-platform progam which provides the zbarimg executable. Here we used version 0.23.1.

Preparing the payload ๐Ÿ”—

Q Code can store up to 2'953 8-bits characters encoded in ISO 8859-1, more if you use only digits or alphanumeric characters. If you want to store binary data you should convert it in ascii (for instance with base64). If you want to store larger file, you will have to split it (for instance with split).

Here we will simply store a some very important password informations in a file called secret.txt

$ cat /tmp/secret.txt
Credentials for https://yoyodine.waste/
[2003-04-05]

Username: trystero
Password: LOT49lot49LOT49

I use cleartext. You could encrypt it, but then you will need to also backup the encryption key…

Note that I work in my /tmp directory to be sure the data will be erased on reboot. If you want to be more cautious. Disconnect the network, or use tails.

QR Code generation ๐Ÿ”—

To generate the QR code:

qrencode -o secret.png < secret.txt

Don’t forget <. If you do, you will just encode the file name an note the file content…

The resulting image will be:

secret.png

Print it, and store it in a secure location. Be sure to delete it from your computer. Avoid selling immediately your printer because it may hold a copy.

QR Code restoration ๐Ÿ”—

To restore it, scan or take a picture of your QR Code. You can the use zbarimg, and it will just work:

$ zbarimg scan.png
QR-Code:Credentials for https://yoyodine.waste/
[2003-04-05]

Username: trystero
Password: LOT49lot49LOT49

scanned 1 barcode symbols from 1 images in 0.03 seconds
...

You can also try zbarcam which uses a webcam to directly decode the QR code, without scanning it. But I had little success with larger QR codes.