As mentioned by someone else it uses the form of:
WIFI:T:WPA;S:{ssid};P:{password};;
Section of the Wikipedia article:
Joining a Wi‑Fi network
By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data. Note that this technique is valid for specifying only static SSID passwords (i.e. PSK); dynamic user credentials (i.e. Enterprise/802.1x) cannot be encoded in this manner.
The format of the encoded string is:
WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;H:<true|false|>;
As of January 2018, iPhones have this feature built into the camera app under iOS 11.x. Android users may have the feature built into one of the device's stock apps (e.g. Samsung Galaxy S8/S8+/Note8 users can launch the stock browser, tap the browser's 3-dot menu, then choose "Scan QR code") or can install one of several available free apps such as "Barcode Scanner" or "QR Droid" to perform the QR Wi-Fi join.
https://www.samsung.com/au/support/mobile-devices/samsung-qr...
XKCD's bobby tables comes to mind. Sanitize your inputs. If you point & click and you immediately process what your camera sees, there is great risk in that.
I want a photo to be a photo. If I want to scan a QR code for the purpose of scanning a QR code, I use some special app (and Ι block it's Wifi/3G connectivity to enusre the QR app will not leak what Ι just photographed).
Edit: I follow the Steve Gibson school of thought. I want the "thing" to do the "thing", and nothing but the "thing". Camera should do camera-ing (adjust camera-related-attributes). QR app should do QR-app-things (show me in clear text the QR code and ask me what do I want to do with it)(register WiFi, visit a website, etc).
I've been using a shell alias to call `qrencode` with the appropriate details for a few years now.
It was my understanding that the android security model doesn't allow this - specifically the settings permission let's you connect to a new network, but not to get the password back for an already saved network.
Imagine if this was a web-based password strength meter.
Without a WiFi password these versions communicate in plaintext, so a passive adversary can snoop everything, choosing a password switches on encryption and thus protects against passive eavesdroppers.
Only in WPA3 do networks with no password get encryption to protect you from passive eavesdroppers.
Obviously an active MitM can work regardless, but that's trickier to attempt and unavoidably subject to detection.
If you "care about security" in the sense of not wanting random people to connect then you should not use "Personal mode" which is garbage in all versions of WPA because it relies on a shared human memorable password and (say it after me) human memorable passwords are garbage.
Use whichever of the terrible 802.1x alternatives best fits your scenario, as these authenticate specific users rather than relying on a single shared password. You can federate to allow large groups of people with something in common to all use all the networks in the federation. For students (and academic staff) most tertiary education sites in the world now offer Eduroam for example.
Or, give it all up as a bad job, and (with the caveat at the top about preventing passive eavesdropping) just stop trying to fence off your network and accept that it's the Internet and you'll need a BeyondCorp / Zero Trust security model.
The point of QR for this is to be able to actually share that high entropy 63 character string so you don't have to use a "human memorable password".
Edit: some users already commented in another thread about pacakges that can do it instead.
Error: code length overflow. (28252>23648)
I see this failure mode in React apps a lot, where a bug causes an exception to be thrown, and the page just vanishes in a puff of smoke, as though it never was.
Half the time I’ve seen this failure mode it’s also been combined with persisting the bad value, so that the site is permanently broken until you can unpersist the value (e.g. clear localStorage or IndexedDB or cookie; but if the bad value is stored on a server you’re truly stuck).
The impression I’ve taken away is that it’s entirely unacceptable for a React component to throw an exception, because it will immediately destroy everything. Wonder how common such failures actually are, and whether there’s anything React itself could do about it (my guess is not).
https://serverfault.com/questions/45439/what-is-the-maximum-...
You may say it’s a fairly contrived failure, but it’s easily possible, and plausible if the user thinks they copied the password onto the clipboard, but actually those paragraphs of text they copied earlier are still on the clipboard. That sort of thing happens to people that use the clipboard (e.g. me) not uncommonly.
https://9to5mac.com/2018/05/16/how-to-qr-codes-ios-11-iphone...
The shortcut is just regex match the base station, password and security from the text 1Password shares, then format it as WIFI:S:<ssid>;T:<security>;P:<password>;; and then pipe that to the Generate QR code action.
I'm not sure how useful it would be beyond the cool factor, of course … the cafés in my area don't seem to change their wifi passwords often at all, so I assume they're not very concerned about leeching. The typical practice of printing it on a receipt or writing it on the board next to the soup-of-the-day is probably hard to beat.
Edit: Thank you to those who replied!
qrencode -o wifi.png "WIFI:T:WPA;S:<SSID>;P:<PASSWORD>;;"
qrencode -t ansiutf8 'WIFI:T:WPA;S:{ssid};P:{password};;'
Presumably the camera app recognizes “WIFI:” as a protocol string and passes the details along to the system settings.
Also found qifi.org that does a similar thing.
Edit: perhaps I should clarify that that's my network's name. In the qr code reader it shows up as ¯_(ツ)_/¯ and it's stored in wpa_supplicant.conf as c2af5f28e38384295f2fc2af (indeed missing the backslash).
Be a decent solution for a business that wants to offer guest wifi with a little less risk of abuse.
WIFI:T:WPA;S:{ssid};P:{password};;
bndw: looks like some characters need escaping: backslash, semicolon, comma and colon. Maybe more too, given the treatment of double quotes in that last link (I’ve filed https://github.com/zxing/zxing/issues/1292 about that inconsistency).
Someone suggested it on the 1Password forums [1] and one of their employees said it it was a great idea and would pass it to the development team, but that was in September, 2017, so apparently it didn't go anywhere.
About 18 months ago, someone suggested it on /r/1password [2], and again someone from 1Password liked it and said they would pass it on to the devs.
[1] https://discussions.agilebits.com/discussion/82070/feature-r...
[2] https://www.reddit.com/r/1Password/comments/a1udg2/feature_r...
Emoji SSID just kind of works in most cases, because an encoding was never specified for that string, afaik.
TL;DR: I shoot myself in the foot for entertainment.
So as hex, you would need to try both of these for your ssid: U+1F4A9 or F0 9F 92 A9
Unfortunately, encoding to UTF-8 and setting a BOM won't guarantee this will work for you, because most QR decoders actually use heuristics to guess the encoding of the text.
You can make it behave a little better by setting ECI (to specify the encoding) when creating your QR code, but even though that was introduced in 2000, most QR decoders don't have ECI implemented.
Your best bet is to try UTF-8 encoding of the emoji first, and then fallback to the unicode representation.
[1] http://niftypdf.com/Barcoder/QRCoder [2] http://niftypdf.com/Barcoder/API
https://www.qr-code-generator.com/
(not trying to advertise the site, just saying it wasn't worth my time to reinvent something)