Show HN: Print a WiFi Login Card (opens in new tab)

(wificard.io)

769 pointsbndw4y ago326 comments

326 comments

> Your WiFi information is never sent to the server.

This makes me think that we could use some flag that identifies purely static websites. Like next to the green https lock there is a sign that this website can not send data to any server

Ajedi324y ago

I think something like that might be feasible in the future with things like web bundles[1] and content security policy[2]. In theory you could have a site loaded as a bundle and a CSP that blocks everything not loaded through the bundle, effectively cutting off all network access.

You'd probably also need some sort of Feature-Policy[3] that prohibits access to any form of persistent storage so sites can't just save data until the next non-CSP-protected page load and transmit it then.

[1]: https://wicg.github.io/webpackage/draft-yasskin-wpack-bundle...

[2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[3]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Fe...

secureleaf4y ago

This a great idea but it would be difficult to implement. Sure, it would be easy to catch (and block) HTTP requests other than OPTIONS and GET.

But even a GET request can be used to send data. Just pack the data you want to send in the query string and voila.

pkulak4y ago

Just some JS call like "startStatic()". At that point, all network activity is shut down for good, and the page gets a badge.

outericky4y ago

So don’t allow GET with query params. You want the static moniker? It has to be static. No server interaction after load, and no sending any data during load.

1 more reply

steviedotboston4y ago

I wonder if this could be a browser extension

abahlo4y ago

That would me amazing

quickthrower24y ago

What if it didn't send anything to the server. Today. But stored it in local storage. And sends it next week when you come back.

runeks4y ago

Don't allow that. When a site registers as "local", which gives it the "local" badge, do not allow the site to switch back to non-local.

Perhaps the site could be allowed to update itself. But this update function should not have access to any local/client state.

lucb1e4y ago

I can also recommend drawing it instead of printing if you hate printers with the same passion as me. Record to beat for drawing a working QR code is 3 tries and I think about three hours (for an SSID of 13 bytes (5 unicode characters) and 19-character password). I did it mostly out of curiosity how hard it would actually be (spoiler: medium difficulty).

dmitryminkovsky4y ago

You’re my new hero. Did you use graphing paper? Have you hashed by hand as well? http://www.righto.com/2014/09/mining-bitcoin-with-pencil-and...

MrBuddyCasino4y ago

> hate printers with the same passion as me

A remedy exists, it costs around 100€, is sold by Brother and is called "wifi-enabled laser printer". Your life will be free off printing woes onwards.

simondotau4y ago

Can confirm. Zero problems in seven years. Though go for a model with wired Ethernet, still cheap and even more bulletproof.

1 more reply

greyhair4y ago

Love my HL-L2360DW hanging directly off Ethernet. What a truck! Fast enough, auto duplex printing. Mine never jams. It just doesn't. Cheap cheap cheap to run.

I also have a Canon MG6220 for when I need color, which is not often. I gets used more as a scanner/copier than as a printer. It has also been really reliable, and since it doesn't print all that much, the ink cost has been quite bearable. I might not feel the same about the Canon if I didn't have the little brother laser printer available to pound out B&W documents when I need them.

mleonhard4y ago

Second. The "Brother Print&Scan" app is completely usable for printing from iPhone. Third-party replacement toner is cheap.

2 more replies

quickthrower24y ago

How do I connect the printer to wifi, without the printed wifi card?

1 more reply

fouc4y ago

I'm more curious about why you hate printers.

plasma4y ago

If OPs experience is anything like mine, they just suck at doing their job.

There's often some silly reason its stuck, or it prints wrong, or the colors are off, etc, its really just a super painful experience and I can't believe its still so bad.

1 more reply

lucb1e4y ago

Others said most of what there is to say but to give an answer from 'OP': them working reliably is the exception.

Out of yellow -> refuses to print black. DRM cartridges that you can't have refilled. Black ink being more expensive than blood. Driver problems. Network issues. Paper jams. Out of paper error when there is paper. Trying to draw from the wrong paper tray. It doing five minutes of warmup exercises when you really want to get going but forgot to print this signed form to hand in. A new printer being literally free if you just buy the ink with it (my grandma has one of those). And so on.

It's insanity more often than not.

Ironically, Linux drivers are (as of ~2013 I've noticed this) more reliably than Windows ones. For scanners also. My dad had to re-add the printer (which works fine on Linux) every time on Windows in the configuration panel. It would say 'offline' but could be discovered and then printed with just fine. But only until it goes into standby mode, the next day it's the same story. Now he got an expensive scanner (the kind where you get business support), same story: it just doesn't see the device half the time. This time it's clearly a device issue though: it also only responds to ping when the computer can work with it (i.e. the device is just unreachable when the computer says it's unreachable; not a driver issue for once). And you pay a few hundred bucks for that.

The big ones at school or in bigger companies, those seem to work reliably most of the time these days, and if one is out of order you can go a floor up and use the next one. I also remember my old boss (RIP) had a printer that never had a single issue -- of course the model went out of production by the time it gained the track record (all I remember is that it was a Brother laser printer, no colors, only one paper tray, no scanning... all that probably helped). Perhaps you, too, had one of these lucky models and were spared these printer problems.

But so yeah that sparked a whole category of jokes on the internet, most people having this experience (at least until a few years ago, perhaps it has gotten better? People also just don't print as much).

mitul_454y ago

I used to hate printers too but that changed when I started using HP Instant Ink.

The printer needs to be connected to wifi all the time but on the flip side, the printer orders ink cartridges well in advance (so they get delivered in time and I have them ready when I need).

1 more reply

gorgoiler4y ago

Thank you so much for the inspiration! I had a very relaxing time drawing my own as well, just now.

It is interesting how many ideas come to oneself when drawing and filling the grid. By the end I had all sorts of weird MC Escher style insanity.

lucb1e4y ago

Wow, I'm blown away by the response here, more in upvotes than in comment volume but that doesn't make me any less happy to see it. Your comment and u/dmitryminkovsky's are very kind, thank you. I'm glad you enjoyed the experience :)

ThePadawan4y ago

I do wish there was an option to safely disable all connectivity in a browser tab (forever) like with Javascript or camera access.

Yes, saving the page, disconnecting your network connection, then deleting the page would work, but it's a real bother.

pryce4y ago

I think the risk model for this sort of thing is still... complicated, even though the site as it stands is safe and does not transmit credentials.

After first gaining popularity, the domain could later pass to someone with malicious intent quite easily, eg:

1. Tech people like HN verify the site as credible and approve of it

2. The site gains popularity and goes viral / receives significant use

3. The original author abandons the site because of costs, or simple boredom

4. A malicious actor acquires the domain and begins recording users credentials alongside IP addresses.

Conceivably, an enormous amount could be captured before the malicious recording became exposed, and (importantly) most of those whose credentials were compromised would have no straightforward path by which they could be alerted.

Other scenarios: site is malicious to begin with but set up to not transmit credentials during its first ~28 days.

Mirrors of this site with credential capture added, (hard to claim that's a flaw of this site itself, just a flaw with "this type of site being normalized").

avel4y ago

DevTools -> network -> Change the throttling to "offline"

pimterry4y ago

Note that today in Chromium-based browsers this does _not_ take a page completely offline - it only affects some specific internal HTTP request APIs, so it's still quite possible to exfiltrate data. For example, WebSockets & WebRTC aren't affected: https://bugs.chromium.org/p/chromium/issues/detail?id=423246 (although it looks like there's work to start to properly support this in progress).

dzhiurgis4y ago

Does it stay offline if you have a service worker?

41b696ef11134y ago

Offline is not an option in Firefox, just progressively worse connection options.

3 more replies

mholt4y ago

Yep, I kind of wish browser permissions let you gate access to the network just like they do the camera, mic, location, etc. (Though, network permission would probably need to be enabled by default to not break the Web.)

dheera4y ago

Also another nitpick:

> View the source code

It would be really nice if the source code in the browser (no, not the Github repo; how do I know the web server served the same thing as the Github repo?) were displayed in a human-readable format with proper tabbing, comments if applicable, and not an obfuscated, minified form.

In fact if your goal isn't specifically obfuscation, it's not necessary to minify JS in general. Web servers do a good job gzipping stuff.

ComputerGuru4y ago

We’re moving far, far away from the observability and introspection that once made the web a transparent medium. First it was minified JS, then it was minified and obfuscated JS, then it was using a canvas instead of the DOM to prevent even HTML inspection, and now it’s binary executable payloads (WASM) rendering to a WebGL context with zero introspection possible.

1 more reply

ThePadawan4y ago

Hm, we could have the best of both worlds if source maps (can already be served to browsers and are supported fine) could be proven authentic.

I believe right now, I could use foo.min.js and serve you a cruddy foo.min.map.js to mislead you.

If I served you the original sources foo.concat.js and a build script to go from foo.concat.js => foo.min.js instead, we could have both the speed of the minified version and the (proven by the browser) accurate source code and maps!

toomuchtodo4y ago

Perhaps https://github.com/ray-lothian/Block-Site/ could be adapted to your needs.

floatingatoll4y ago

I do too. Even the web extension APIs don’t seem to comprehend this. It’s super disappointing and it’s holding back extension development and enabling a massive malware problem.

rhn_mk14y ago

uMatrix kind of does this. Once you forbid everything, requests will get filtered out.

I'm not sure if this affects service workers though.

gpvos4y ago

Can uMatrix do that only for the current tab?

1 more reply

mrfusion4y ago

Airplane mode?

fulafel4y ago

The page might start a service worker and exfiltrate the data when connectivity returns even after the tab is closed.

2 more replies

dzhiurgis4y ago

Same for apps.

And it's crazy you can't disable phone service on iPhone.

Also, if you worried about someone accessing your network then you probably need to isolate your devices from seeing each other.

TBH other than pwning my router or misusing my IP address in some way I don't see much problem having my devices on public net. All of them run firewall and are up to date. Most traffic is HTTPS and I'm not sure if you can MITM with just Wifi password lol.

hnov4y ago

My iPhone has a pre-defined "Make QR Code" "Starter Shortcut" that you can invoke by typing "Make QR Code" in Home screen search. It basically generates a QR code of the same WIFI:S:$SSID;P:$PASSWORD;; format as wificard.io.

https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...

JorgeGT4y ago

My Pixel 4a can also generate a QR by opening a particular network in the settings app and pressing «share».

xdrosenheim4y ago

I'm pretty sure most phone can do that today. I know most Android can.

davchana4y ago

My Honor Nova5t running Android 10 also did this, when I clicked on connected wifi's name.

vxNsr4y ago

What? That’s awesome I had no idea that came built in! Pretty cool!

lostsock4y ago

Samsung Galaxy Ultra 21 can do this too.

Zash4y ago

    qrencode -t utf8 'WIFI:T:WPA;S:network;P:password;;'

maddyboo4y ago

If you want some interactivity (bash):

    read -rp "SSID: " ssid
    read -rsp "Password: " pass
    echo -e "\n"
    qrencode -t utf8 "WIFI:T:WPA;S:$ssid;P:$pass;;"
    echo "SSID: $ssid"

Even better, generate a PDF with emojis and all!

    #!/usr/bin/env bash
    out="${1:-wifi-card.pdf}"
    read -rp "SSID: " ssid
    read -rsp "Password: " pass
    echo -e "\nGenerating PDF..."
    {
    cat << EOF
    <table>
    <tr>
    <td><img src="data:image/png;base64,$(qrencode -o - -t png "WIFI:T:WPA;S:$ssid;P:$pass;;" | base64)"></td>
    <td><span>SSID: $ssid</span><br><span>Password: $pass</span></td>
    </tr>
    </table>
    <p>
    <img width=16 height=16 src="https://raw.githubusercontent.com/iamcal/emoji-data/master/img-apple-64/1f4f8.png">
    <img width=16 height=16 src="https://raw.githubusercontent.com/iamcal/emoji-data/master/img-apple-64/1f4f1.png">
    Point your phone's camera at the QR Code to connect automatically.
    </p>
    EOF
    } | pandoc --pdf-engine=xelatex -f html -t pdf -o "$out"
    echo "$out"

I used those GitHub URLs for the emojis because pandoc was being weird about the unicode versions.

tclancy4y ago

Note to anyone blindly cutting and pasting this, the final EOF needs to be alone on the line with no indentation (VSCode did me a disservice and formatted it poorly which confused the hell out of shellcheck but left me learning something today, which was nice).

vletal4y ago

Since OP intended to learn a bunch of technologies while developing this project I'd be amused to see a version of this based on qrencode complied to WASM.

IgorPartola4y ago

Why is this not a neural network?

1 more reply

40four4y ago

I wouldn’t ask if it wasn’t the top comment, on the current #1 front page story, but

Can someone please explain this command, and why it is presumably given as a criticism of this submission?

MobiusHorizons4y ago

There is an inherent skepticism about typing your password into a web form even/especially if it says it is not sent to the server. My read of this comment was on the one hand telling security conscious people how to achieve the same goal in a way that does not leave the computer, and on the other hand putting a lower bound on the complexity of the value provided by the site.

1 more reply

sha256kira4y ago

I didnt read it as a criticism necessarily. Qrencode is just awesome. I like that someone made a UI for this though so non-ghost-in-the-shell folks can get down with this awesome use of QR code dopeness :^)

tomc19854y ago

As other comments have pointed out, the tech stack used here is excessive for what it is trying to do. The author has said it was a project to learn some specific technologies. There is a lot of mirth for overcomplicated contraptions mucking up otherwise simple tasks (and rightfully so, IMO), hence the retort of a one-line console command.

1 more reply

kzrdude4y ago

I don't think we should always see a reply as criticism. It makes the discussion unnecessarily contentious.

Even this reply - this is intended as conversation.

enjoyyourlife4y ago

The site requires you to put in your WiFi Network and Password even though it did not have to. (However nothing is actually sent to the server)

1 more reply

CraneWorm4y ago

A decade old SO adage comes o mind:

"This should be the accepted answer."

_rdvw4y ago

For WPA3

  WIFI:S:SSID;T:WPA3;P:PASSWORD;;

m0dest4y ago

Can you elaborate? Why doesn't the traditional WPA1/WPA2 string work? What happens if a non-WPA3 client scans this new one?

1 more reply

chrisxcross4y ago

For users of NetworkManager:

  nmcli device wifi show-password

alias_neo4y ago

Wow thanks. I just learned something new.

This is now my favourite way to grab the WiFi password.

1 more reply

alphachloride4y ago

    Write-Host "?"

floatingatoll4y ago

Did you type this in from memory?!

captn3m04y ago

There is no real specification. This is the best source[1], which documents QR standards.

>There are some standards -- de facto and otherwise -- already in use. This wiki attempts to catalog some possible standards for encoding various types of information, and suggest a standard action associated to them.

[1]: https://github.com/zxing/zxing/wiki/Barcode-Contents#wi-fi-n...

1 more reply

prophesi4y ago

Not OP, but I found that string from viewing the source code for Card.js in the sources tab.

mdaniel4y ago

In fairness, the string doesn't seem insaneo: T:=Type S:=SSID P:=Password then only the leading and trailing chars need to be "remembered", plus whatever the escape character is for that password string (or maybe even the SSID -- I'm not super clear on what characters can be in an SSID)

1 more reply

tomjen34y ago

>zsh: command not found: qrencode

chadlavi4y ago

brew install qrencode && !!

raspyberr4y ago

I know it says "No tracking, analytics, or fingerprinting are used on this website" but it calls out to Google fonts...

tkuraku4y ago

I just generate a QR code for my wifi login using libreoffice writer.

Edit: just use the built in QR code generator with a string in this format.

WIFI:T:WPA;S:$SSID;P:$PASSWORD

remram4y ago

Can't you also screenshoot it on your phone?

tkuraku4y ago

I generate the QR code and then add some text to make a kind of poster and print it out. Ios and android users can then just use their camera app to automatically connect to the wifi.

https://help.libreoffice.org/latest/en-GB/text/shared/guide/...

mynegation4y ago

This is a nice idea! I once whipped up a shell script to do the same thing.

UX feedback - disable autocorrections on the input fields [1], you may want to trim white space as well.

[1] https://davidwalsh.name/disable-autocorrect

baliex4y ago

Please don’t trim whitespace, I ended up on a network recently which had a space on the end of the SSID

ThePowerOfFuet4y ago

I hope you told them to fix their shit.

1 more reply

bndwOP4y ago

Thanks for the tip, added in https://github.com/bndw/wifi-card/commit/1924298335692eebc79...

koins4y ago

Shameless (mostly) plug here, https://github.com/kmanc/wifi_qr.

This repo of mine walks through how to use a raspberry pi with an eInk screen to automatically update passwords and the resulting QR code. Would love to see what y'all think!

patrickwalton4y ago

Cool! I was just thinking about this!

notyourwork4y ago

iOS share password functionality has really simplified things for guests. This is a neat idea for an AirBNB or similar short term rentals.

sq_4y ago

I’m such a huge fan of that functionality. It doesn’t always work perfectly (i.e. pick up someone nearby trying to join the network quickly), but when it does, it’s such an awesome example of tech making our lives better in such a simple but helpful way.

ronnier4y ago

I wish there was a way to force sharing. It’s very hard to get it to trigger.

willis9364y ago

The QR code seems to have the same amount of friction as the share password. It's something a guest can do asynchronously without needed someone else to do something.

Also, I like the use of guest SSIDs. My guest SSID is just like my main SSID but with L2 filtering for all traffic not going to the gateway. Guests can use my fast internet, but just not interact with my LAN or other guests. I also don't enforce WPA3 only on my guest network for legacy support.

BugsJustFindMe4y ago

Asking as a person who understands the fundamentals of all of the technologies involved but is horrified by much of what goes on in the minds of today's web developers and designers, what motivates the decision to make this repo use make, docker, yarn, npx, nginx, react, and jest rather than a bit of static HTML and css and something like qrjs2.js or VanillaQR.js with a simple canvas or datauri update in onInput?

bndwOP4y ago

Answering as the author who also understands the fundamentals of all of the technologies involved and questions much of what goes on in the minds of today's web developers and designers--

I use Make as the standard way to interact with every repo I own. This allows me to type `make build` instead of `$some-language-specific-command-I-forget-in-2-weeks`.

I use Docker for distributing every app I build. If the app is a website I also use the nginx base image. Docker images make packaging and distribution a breeze IMO.

Regarding yarn, npx, react, and jest: I'm similarly disillusioned by the churn but I also like to remain knowledgeable as the industry evolves. React was something I hadn't touched before, so I decided to pick a simple project to give it whirl ;)

weejewel4y ago

But now you’re paying for keeping a server online, whereas a GitHub page could’ve hosted this static website for free.

5 more replies

kortex4y ago

> I use Make as the standard way to interact with every repo I own.

After much fussing around with many kinds of solutions, this too is what I have settled on. Download repo and run `make` will "do the needful" to get you going, and all the major entry points are make stanzas.

1 more reply

manuel_w4y ago

> I use Make as the standard way to interact with every repo I own. This allows me to type `make build` instead of `$some-language-specific-command-I-forget-in-2-weeks`.

I also used to do this until I switched out Make by Just[1]. I find it worth a recommendation.

https://github.com/casey/just

2 more replies

lionkor4y ago

make all and make run would be more standard, no?

superjan4y ago

I liked your page. I might even use it!

valbaca4y ago

People love to constantly say "Want to learn to code? Make projects! projects! projects!" and then when someone makes a project as a means to learn a particular technology, now people turn up their nose and say "ew, why did you use this?"

Anyway, this project provides exactly what I needed. Thanks to OP for sharing! Slick and simple

remram4y ago

Make a project -> learn to code

Share a project -> get opinions on it

What's the problem?

1 more reply

occz4y ago

There's a simple explanation: people in this context refers to separate groups.

esolyt4y ago

Sure but if you want to learn a specific technology by making a project, it makes more sense to make a project that can actually benefit from that specific technology.

ZoomZoomZoom4y ago

> and then when someone makes a project as a means to learn a particular technology, now people turn up their nose and say "ew, why did you use this?"

Why post your learning project on HN then? You advertise and get free critique. Double win in my book. What's wrong with that?

1 more reply

csande174y ago

A lot of developers only know the new, needlessly complicated ways of doing things. I have met professional software engineers who have never heard of shared web hosting, for example.

It's also surprisingly possible to learn enough about programming to get a job without understanding basic computing concepts. I've met professional software engineers, with multiple years of experience and promotions under their belt, who did not know the difference between hard drives and RAM in a server context. I've literally code-reviewed attempts to deploy a database server with 1 TB of RAM in order to store 1 TB of data.

ozfive4y ago

No, how can you not know the difference between RAM and disk in a server context? What sort of programmers are these?

1 more reply

easton4y ago

I thought that was crazy, but reflecting over my CS education they haven’t gone over the difference between disk space and RAM. I suppose they figure everyone already knows?

4 more replies

vsareto4y ago

>A lot of developers only know the new, needlessly complicated ways of doing things.

Yeah that was inevitable in an industry that moves quickly, likes new stuff, and prefers fast, superficial learning when that's all you need to get your product out of the door. Google and StackOverflow are probably controlling a decent chunk of decision making these days such that you don't need to think about solutions too much.

elondaits4y ago

If I had done this project it would probably use node.js + gulp + sass + pug + browserify + babel + bootstrap ... or maybe Webpack instead of gulp and browserify (depends on the project).

Why? Because I have a website template that solves many things for me, like:

- I see no reason not to use SASS or the latest ES even though I know how to. Or pug, for that matter... which I like. I also have a SASS template with some utilities and a particular code organization.

- Using an ES bundler allows you to throw in libraries from npm. I would not write the QR code myself, for instance.

- Automatically watches sources and recompiles.

- Adds hashes to asset filenames in order to cache-bust changes in CSS/JS/images (critical when using a CDN).

- Has placeholders for things I'll probably need, like the metadata for building previews in social networks.

- Is prepared for dealing with i18n, if the need arises.

- Future-proofing, since 80% of projects you think are small end up becoming larger. This is a single-page site, but if I wanted to publish this in Europe it'd already need two extra pages for the Privacy Policy + Impressum... so the single page site suddenly needs to worry about navigation.

- It's prepared for quickly deploying to AWS or Github Pages. It could be quickly tweaked for working on Cloudflare Pages or other hosting/CI environments that do the compilation for you.

And most importantly...

... my stack does not negatively affect the end result. All the extra baggage is just part of the development environment. If you want to skip my tools, they're quite easy to bypass and replace for any other transpiler... or you can just ignore my sources, reindent my compiled files and work on them directly.

PS: Back in the 90s I drew complex table layouts on graph paper, typed them down with vi, and ftped them to the hosting. I'm well aware of the alternatives. My current workflow + templates + helpers are based on the need to efficiently juggle A LOT of completely different projects every year as a freelance developer.

jonahx4y ago

> All the extra baggage is just part of the development environment. If you want to skip my tools, they're quite easy to bypass and replace for any other transpiler... or you can just ignore my sources, reindent my compiled files and work on them directly.

This might be technically true, but is not true in any meaningful sense if another developer ever has to work with your code. They will have to deal with all your baggage, and their job will be much harder because of it.

2 more replies

cortesoft4y ago

I often choose simple, useful projects for learning new technology… i can’t learn something new if I am not using it for something useful, but I also don’t want to try to learn something new WHILE also solving a challenging problem… so something simple like this is a great sweet spot to learn new tech.

sergiomattei4y ago

Developer experience? Learning project? For fun?

If the maintainer is comfortable using that technology, let it be. No need to rain fire on it.

ykevinator34y ago

There's a lot of that around here

catchmeifyoucan4y ago

This app seems its using create react app, so agreed the app might come with a few extra things that you might not need. However, there are a few reasons I might choose CRA over static HTMl. Don’t get me wrong, HTML is great, but the developer experience can be primative.

Here is why I like using CRA for some projects:

1. Live reload. This comes for free with CRA. Makes dev work easy.

2. As easy as installing a component and getting started. And they logically fit in the code flow. Native import libraries, you have to write the JavaScript and point em to your divs and dom and initialize em.

3. Let’s say in the future, I want to reuse the code logic in a different app, I can just take the js and element as one unified component and move it across.

Tbh, for an app like this, after doing a production build (npm run build), I don’t think it’d make a radical difference in performance with raw html or react. Might just be dev preference, and ease of use.

Spivak4y ago

Docker with nginx because that’s your delivery pipeline. It’s much more common to have a place to run an OCI container than a directory to upload static HTML. CDNs operate on this model but there aren’t many turnkey “on-prem” solutions. The tooling to run a container and get it hooked into your web tier with routes is actually the easier path these days.

Edit: More

The reason for this model is that it makes everything the same and your caching tier is the great equalizer. Everything is a backend for your caching SSL terminating reverse proxy. And your static site will live in the cache for ages so once your cache is warm there’s no real performance hit.

banana_giraffe4y ago

I can't speak for the poster, but sometimes the fun is in using tools you know.

I don't know VanillaJS that well, so I took a stab at the same concept:

https://q726kbxun.github.io/qrcodes/

Not nearly as pretty, since I know even less about making pages pretty, but still, a fun little stab at making such a site.

BugsJustFindMe4y ago

I'd say that a tiny amount of CSS would make that basically perfect for the task, except that it's honestly already perfect for the task now. Though it looks like you replace semicolon a second time instead of colon in clean.

1 more reply

Evidlo4y ago

Would be nice if the code was in an image I could save.

2 more replies

renewiltord4y ago

The same reason I take a massive V8 engine attached to a massive truck bed one mile over to my friend’s place to watch England lose at the Euros. Turns out that sometimes, even when tool X isn’t the best at the job, it’s way better for me to use what’s at hand.

This is what a lot of people have trouble understanding: sometimes the best tool for the job is the tool you’re best in.

Evidence? No one has made this static website you’re talking about. It doesn’t exist. This one does. The imperfect app that exists beats the perfect app that is vapor.

jonahx4y ago

> No one has made this static website you’re talking about. It doesn’t exist. This one does. The imperfect app that exists beats the perfect app that is vapor.

Another poster whipped one together since this was posted, because it's so trivial to do with vanilla tech:

https://news.ycombinator.com/item?id=27804490

I also don't think anyone has a problem with someone who says: "I dunno, this was just the way I learned and I don't know the underlying tech."

But that's usually not what happens. Instead, there are endless rationalizations for why the obvious over-engineering is not only okay, but preferable.

pvaibhav24y ago

No, that’s not the best tool for the job, that’s just the most convenient tool for the job.

1 more reply

verelo4y ago

It’s the Rube Goldberg style of software development? Didn’t you hear? It’s super popular with the kids!

zdgeier4y ago

Made a simple page here https://news.ycombinator.com/item?id=27805746 to see how this would look

xeromal4y ago

Probably to learn those various technologies. Not only did they use a bunch of new tech, they made something other people can use in the process. Better than making a bunch of throwaway code.

dolmen4y ago

Of course, why write 50 lines of throwaway code when you can write 500?

Single static HTML files are under valued.

asiachick4y ago

To be slightly snarky, because the author wants to record your WiFi and Password.

That it was a learning project, ok. I guess.

numlock864y ago

What motivates you to use a feature rich browser on an OS with graphical user interface running on on-premise hardware including your own internet line and all those peripherals if you could just use CLI from a good old VT100 hooked up to your nearest mainframe to HTTP POST a comment on HN?

Yeah, probably because nowadays you just do it like that.

jbverschoor4y ago

Ease of distribution and sandboxing

_def4y ago

I got a QR code like this on the wall with the SSID and the password written on the paper as well as a NFC tag with the wifi credentials between the paper and the wall.

I think nobody ever has scanned the QR code.

war10254y ago

Do you mean they use the NFC tag or manually enter the username / password, or just that no one uses any of it?

PenguinCoder4y ago

I have a QR code for guests and Wi-Fi too. Unfortunately it doesn't seem to work as expected on iphones but works fine on Android. Wouldn't think a QR code was platform specific.

ValentineC4y ago

I just tried generating a QR code on the linked site, and scanning it with my iPhone on iOS 14. Seems to work fine.

wingspan4y ago

Really neat! I whipped up a single file HTML version [1] with a demo [2] using only a CDN-hosted QR library. Thanks for the distraction!

[1] https://gist.github.com/ianobermiller/9f17f1022bc75c2228d742...

[2] https://bl.ocks.org/ianobermiller/raw/9f17f1022bc75c2228d742...

shoto_io4y ago

I am sure that this is not what this site is for. But...

For a moment I thought: What a great attack vector. Collect WiFi passwords from around the globe.

thepete24y ago

My first though was "Why would I ever enter my wifi credentials into a web form?", but perhaps there are people who would...

quenix4y ago

To be fair it’s fairly easy to check that it didn’t send any data over the wire

2 more replies

dolmen4y ago

No better than obfuscated JavaScript to give trust to the average HN reader.

qifita4y ago

This can be done locally in the browser with qifi: https://github.com/evgeni/qifi

jacobmischka4y ago

This app also does this locally in the browser.

cushychicken4y ago

A nice, friction reducing optimization for a home user.

Great work, OP. I'll be printing one for my fridge later today.

claviska4y ago

This is cool. I whipped up a quick clone on CodePen using Shoelace web components for fun: https://codepen.io/claviska/pen/NWjbdoK

mpva4y ago

Looks like a great way to farm a list of commonly used passwords for users or just wifis.

I never trust anything online that generates anything with a password. I got burned from a crypto wallet scam once. but fool be twice...!!!

aiisjustanif4y ago

RIP password managers.

Softcadbury4y ago

Love the source code, so clean. First time I see a makefile used like that with Docker and front commands.

y04nn4y ago

I like to use make as it's available everywhere. I use Makefiles with podman to create images, containers, pods, start, stop them and display logs. With the alias 'm' for make I can execute complex actions with very few keystrokes. Also variables in Makefiles make it easy to updates labels, volumes, etc. But I would not use make for very complex projects.

b3morales4y ago

You might enjoy The Language Agnostic, All-Purpose, Incredible, Makefile https://blog.mindlessness.life/2019/11/17/the-language-agnos...

lifthrasiir4y ago

Make is tremendously useful for running jobs with (static) dependencies. I used to run make for managing Docker instances until docker-compose became a thing.

cghendrix4y ago

Very cool and nicely executed! Love it

bndwOP4y ago

Thank you for the kind words!

sleavey4y ago

Can you actually point your phone camera at a QR code and have it connect automatically, as the website says? I generally avoid QR codes as they obfuscate the target URL, but I thought you needed an app for reading them on Android and possibly also iOS.

jackson14424y ago

It’s definitely built into iOS, just point the camera app at it and it’ll tell you what the domain behind the qr is, then just touch to follow the link.

Something like wifi will have a custom prompt that says “Connect to WiFi network MyNetwork.”

drusepth4y ago

The default Android camera app will read them for you (and display the URL before you tap to open it in a browser) by either pointing the default camera at a QR code or manually scanning it with the "Lens" camera mode.

The Android wifi menu (where you select from nearby networks to join) also has a QR icon that lets you scan to immediately join a network (next to "Add network"). I'd imagine you'd also join if you scanned it from the camera app, too.

asutekku4y ago

Most phone cameras nowadays have a built in qr-code reader.

sleavey4y ago

But does it automatically recognise it as an SSID and password and connect as the website suggests?

3 more replies

wooptoo4y ago

The format is:

WIFI:S:<SSID>;T:<WPA|WPA3|WEP>;P:<password>;;

And can be generated with any qrencode program.

ammar_x4y ago

Really cool, despite that some comments show that generating such QR codes can be done with a simple command; because using this service is faster for me as a person who is not familiar with QRs.

kurthr4y ago

This is probably safe, but I really can't bring myself to do it.

blantonl4y ago

The source code is here, so run it yourself.

https://github.com/bndw/wifi-card

OJFord4y ago

If you're going to do that, simpler to just use `qrencode` with the same contents as this is using:

    WIFI:T:WPA;S:${ssid};P:${password};;

Unless you need to frequently generate WiFi login QR codes (single purpose!) from a device without a convenient command line, e.g. mobile, there's not really a reason to self-host this.

(It makes sense for OP/the project to host it as a demo and for people who don't care or trust it to use though - I'm not hating on the site existing.)

unwiredben4y ago

Running it on Firefox with web inspector opened, I saw no network traffic at all after the page loaded, so it wasn't sending the network name or password anywhere off my device.

gruez4y ago

This method picks up "most" requests, but not all. eg. websocket and webrtc can be used to exfiltrate data but it won't show up on inspector.

1 more reply

johtso4y ago

Are there any tools to run an untrusted client side web application isolated from the internet?

boring_twenties4y ago

useradd -m luser

iptables -I OUTPUT 1 -m owner --uid-owner luser -j REJECT

Now log in as luser and run your browser.

1 more reply

gruez4y ago

turn off wifi/unplug network cable?

2 more replies

tambourine_man4y ago

The magic here is that there's a WiFi URL scheme. I never knew. Don't know how well supported it is on old OSs but it's pretty cool:

wifi: // [username] : [password] @ ssid

barbarbar4y ago

I am not sure I understand the app. Is it 2 input fields one for name and one for password? Which you then print? Is that the functionality - or have I misunderstood?

cyral4y ago

The QR code it generates can be scanned by a phone to connect to a WiFi network without typing anything

barbarbar4y ago

Ah OK - that can make some sense in case name and password are very difficult to type. Thank you for the explanation.

soheil4y ago

So apparently navigating to a URL similar to this on iPhone connects you to the specified wifi [0]:

  WIFI:T:WPA;S:${ssid};P:${password};;

[0] https://github.com/bndw/wifi-card/blob/master/src/components...

gruez4y ago

On ios it works fine with the default camera app, but what about android? I'd guess support varies depending on vendor?

graton4y ago

The native photo app supports QR codes on my Google Pixel phone.

Once it sees a QR code then it shows some text that you can touch to open the link.

j03b4y ago

Seems to be using the same format as https://qifi.org/, which lists supported devices, but of course due to the lack of native QR on most Android devices it's per-app rather than per-phone.

captn3m04y ago

It's 2021 and Android still has fragmented QR scanning.

1 more reply

sq_4y ago

If I remember correctly from playing with this stuff a few years ago, there’s a simple text format for WiFi SSIDs and passwords that’s recognized by both iOS and Android, among others.

77pt774y ago

It works on my stock android photo app.

garybake4y ago

"Tape it to the fridge" Please don't do this, at least keep it hidden from general viewing.

collsni4y ago

I almost gave my SSID and password over to this guy, that's an interesting fishing technique.

collsni4y ago

Hey I almost gave my ssid and pw over to this guy. That's an interesting phishing technique

geonnave4y ago

A nice addition would be either (1) support other languages or (2 - simpler) the ability to edit the field titles (e.g. change from "Network name" to "Nome da rede").

system24y ago

It is open source, you can simply CTRL+F and replace those if your case requires. Or you can create a dropdown somewhere with those variables to replace the placeholder texts etc.

kevincox4y ago

You can also set up an NFC tag for WiFi. It works basically the same but saves with fiddling with your QR reader, just tap the phone to the tag and click connect.

moepstar4y ago

Just a FYI/PSA: Fritz!Box routers by AVM do have that option right in their WiFi-settings page...

Also, there are lots of offline QR generator apps...

readingnews4y ago

At first I was like "OMG, this is going to be awesome, this person has a QR generator which will magically connect me to the WiFi with my password embedded in the QR somehow. I am going to have to read the source... This is gonna be great... but then, disappointment. It is just a card with my password in plain text. Why the heck would I ever print this out?

bndwOP4y ago

  a QR generator which will magically connect me to the WiFi with my password embedded in the QR somehow.

This is indeed what it does, but it also includes the plaintext password in case you want to connect a device that doesn't have a camera, like a PC. There's an open issue for adding a "hide password" option. You could also just cut off or scribble out the password on the print out.

black3r4y ago

This is for public encrypted guest WiFi networks, to make guests lives more comfortable... you can scan this with your phone to automatically connect without needing to type the password which can come handy if the password is at least somewhat secure.

Usually it's printed in the same places where you would actually print your plaintext Wi-Fi password, if you're already doing that, for example in restaurants (e.g. QR code inside a menu card that's only given to actual customers), offices (QR code inside meeting room for actual guests), airbnbs (QR code on a fridge inside your house), hotels (QR code inside the room with a router))

filleokus4y ago

I’m guessing the whole point behind the “standard” is to allow quick and easy access to protected networks. It’s an alternative / compliment to verbally telling someone the passphrase, or having it printed in clear text on a paper.

Think of hotels / offices with guest networks. I use it for my wifi, my home network is not secretive enough to not let friends / family join it when at my place.

jackson14424y ago

Wifi passwords aren’t supposed to be secure. Really they’re only to keep people off the network that you want to keep, well, off the network. The current method of connecting someone to wifi is usually just telling them the password. If the guest has a computer on the network (or a mac signed into the same apple ID as an apple device on the network), it’s trivial to figure out a network password that was entered for you.

If you’re wanting a _really_ secure network, WPA2 isn’t the way to go. You’d want to credential every user using 802.1X or WPA2 Enterprise.

Steve04y ago

It depends on the qr-code scanner you have on your phone. The one on my android shows a button 'connect to this network'.

In regards to security, you are completely correct. But this is to be used in cases where one would put a paper with the password on the wall, think of coffee shops. Saves some typing. Or you can put a card on your coffee table to help out your house guests.

tomjen34y ago

Because it is now trivially to let other people connect to your wifi.

slig4y ago

Suppose you have a long password for your WiFi and want an easier way for friends to connect to your network without having to type a complex password.

ChrisArchitect4y ago

more QR meh -- how does one use this? Assuming everyone has native QR code ability that ties into Network setups? Sorry if I'm behind but is this standard in Android now? (who cares about iOS, let's go with broader platform for now)

i5heu4y ago

How convenient I asked myself this question about five hours ago!

There are chances out there, unbelievable.

krishnan-r4y ago

Why would you trust a random page on the internet and go paste your wifi password on it?

jackson14424y ago

Is your threat model really so severe that it includes someone driving to your house and connecting to your wifi network? Of all passwords, a wifi password is one you should _never_ reuse.

You could also inspect the source, it’s open source, or network requests.

black3r4y ago

opening in incognito tab with internet disconnected to make sure it works offline and that nothing gets sent after you close the incognito tab should be safe & secure but yeah you can also google the proper qr code format and make it yourself using qrencode in terminal or something like that...

but for semi-public WiFis like the ones in restaurants, hotels, ... it's a survivable risk

owlbynight4y ago

I don't, that's why having access to the source code is cool.

jaimex24y ago

On Android just go to Settings > Wifi > SSID > Share

From there its up to you how you print.

Snawoot4y ago

Cool! I wonder if we can generate QR code for WPA2 Enterprise with EAP-TLS?

hendry4y ago

No password on my farm.

Why bother setting a password in a non-crowded area?

black3r4y ago

Depending on how remote your farm is and how strong is the WiFi signal outside your premises (from a nearby public road, ..).

Average case you are in the middle of bumfuck nowhere with a huge private property surrounding your WiFi and nothing's gonna happen.

Worse case some script kiddie attacks your vulnerable router (if using default password) or a smart gadget (if you have some and it's a couple of years old) to join a botnet and get your IP address on a blacklist limiting your internet usability (blacklisted IPs may not be able to send e-mails, may get captchas on major websites like Google, ...)

Worst case someone driving around noticing you have an open WiFi may drop a battery/solar powered raspberry pi with a 4G modem nearby your WiFi and use your WiFi as an untraceable VPN/proxy to perform some illegal stuff (e.g. upload child pornography or perform some serious hacking) and getting you in trouble with the law.

867-53094y ago

for this to work device-agnostically presumably there is a URL scheme such as "wifi://", can anyone confirm?

tomcam4y ago

This is a ridiculously good idea. Thank you.

edison1123584y ago

The Shortcuts app on iPhone can do this.

13daug4y ago

I never had of cards how do you get it

renewiltord4y ago

Cool app, dude. Thanks for sharing.

spikepuppet4y ago

This is really cool! Good work!

maxclark4y ago

Thank you for this!

nuker4y ago

Nice try, lol. People, never enter your passwords on such pages.

ExtraE4y ago

Relevant xkcd: https://xkcd.com/792/

modinfo4y ago

This looks like a simple WiFi password generator, a cooler solution would be to generate one-time passwords for guests. When someone comes to you, they can click on the touch display to generate a password, each guest can then have a separate VLAN.

koffiezet4y ago

That's a bit more elaborate, but with WPA enterprise, a radius server and a web-ui this should be pretty doable

failwhaleshark4y ago

Neat. Works with Unicode!

Feature request: giant passwords like that one that was posted on the side of a building.

I ran it with network off and saw the code, so it looks safe.

memming4y ago

I'm here for the top comment.

j / k navigate · click thread line to collapse

326 comments

WanderPanda4y ago