What is the term used to describe a user providing a user name and password to log in to a system?

Used for user authentication to prove identity or access approval

For other uses, see Password (disambiguation).

For assistance with your Wikipedia password, see Help:Reset password.

"Passcode" redirects here. For the Japanese idol group, see Passcode (group).

A password, sometimes called a passcode (for example in Apple devices),[1] is secret data, typically a string of characters, usually used to confirm a user's identity.[1] Traditionally, passwords were expected to be memorized,[2] but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical.[3] Using the terminology of the NIST Digital Identity Guidelines,[4] the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol,[5] the verifier is able to infer the claimant's identity.

In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a personal identification number (PIN).

Despite its name, a password does not need to be an actual word; indeed, a non-word (in the dictionary sense) may be harder to guess, which is a desirable property of passwords. A memorized secret consisting of a sequence of words or other text separated by spaces is sometimes called a passphrase. A passphrase is similar to a password in usage, but the former is generally longer for added security.[6]

History

Passwords have been used since ancient times. Sentries would challenge those wishing to enter an area to supply a password or watchword, and would only allow a person or group to pass if they knew the password. Polybius describes the system for the distribution of watchwords in the Roman military as follows:

The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword—that is a wooden tablet with the word inscribed on it – takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next to him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.[7]

Passwords in military use evolved to include not just a password, but a password and a counterpassword; for example in the opening days of the Battle of Normandy, paratroopers of the U.S. 101st Airborne Division used a password—flash—which was presented as a challenge, and answered with the correct response—thunder. The challenge and response were changed every three days. American paratroopers also famously used a device known as a "cricket" on D-Day in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply.[8]

Passwords have been used with computers since the earliest days of computing. The Compatible Time-Sharing System (CTSS), an operating system introduced at MIT in 1961, was the first computer system to implement password login.[9][10] CTSS had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy."[11] In the early 1970s, Robert Morris developed a system of storing login passwords in a hashed form as part of the Unix operating system. The system was based on a simulated Hagelin rotor crypto machine, and first appeared in 6th Edition Unix in 1974. A later version of his algorithm, known as crypt(3), used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed dictionary attacks.[12]

In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Choosing a secure and memorable password

The easier a password is for the owner to remember generally means it will be easier for an attacker to guess.[13] However, passwords that are difficult to remember may also reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password across different accounts. Similarly, the more stringent the password requirements, such as "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.[14] Others argue longer passwords provide more security (e.g., entropy) than shorter passwords with a wide variety of characters.[15]

In The Memorability and Security of Passwords,[16] Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords.

Combining two or more unrelated words and altering some of the letters to special characters or numbers is another good method,[17] but a single dictionary word is not. Having a personally designed algorithm for generating obscure passwords is another good method.[18]

However, asking users to remember a password consisting of a "mix of uppercase and lowercase characters" is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1', substitutions that are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.[19]

In 2013, Google released a list of the most common password types, all of which are considered insecure because they are too easy to guess (especially after researching an individual on social media):[20]

• The name of a pet, child, family member, or significant other
• Anniversary dates and birthdays
• Birthplace
• Name of a favorite holiday
• Something related to a favorite sports team
• The word "password"

Alternatives to memorization

Traditional advice to memorize passwords and never write them down has become a challenge because of the sheer number of passwords users of computers and the internet are expected to maintain. One survey concluded that the average user has around 100 passwords.[3] To manage the proliferation of passwords, some users employ the same password for multiple accounts, a dangerous practice since a data breach in one account could compromise the rest. Less risky alternatives include the use of password managers, single sign-on systems and simply keeping paper lists of less critical passwords.[21] Such practices can reduce the number of passwords that must be memorized, such as the password manager's master password, to a more manageable number.

Factors in the security of a password system

The security of a password-protected system depends on several factors. The overall system must be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. Passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any of the available automatic attack schemes. See password strength and computer security for more information.[22]

Nowadays, it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to prevent bystanders from reading the password; however, some argue that this practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.[22]

Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token.[23] Less extreme measures include extortion, rubber hose cryptanalysis, and side channel attack.

Some specific password management issues that must be considered when thinking about, choosing, and handling, a password follow.

Rate at which an attacker can try guessed passwords

The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts, also known as throttling.[4] : 63B Sec 5.2.2  In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords if they have been well chosen and are not easily guessed.[24]

Many systems store a cryptographic hash of the password. If an attacker gets access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. In the example of a web-server, an online attacker can guess only at the rate at which the server will respond, while an off-line attacker (who gains access to the file) can guess at a rate limited only by the hardware on which the attack is running.

Passwords that are used to generate cryptographic keys (e.g., for disk encryption or Wi-Fi security) can also be subjected to high rate guessing. Lists of common passwords are widely available and can make password attacks very efficient. (See Password cracking.) Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as PGP and Wi-Fi WPA, apply a computation-intensive hash to the password to slow such attacks. See key stretching.

Limits on the number of password guesses

An alternative to limiting the rate at which an attacker can make guesses on a password is to limit the total number of guesses that can be made. The password can be disabled, requiring a reset, after a small number of consecutive bad guesses (say 5); and the user may be required to change the password after a larger cumulative number of bad guesses (say 30), to prevent an attacker from making an arbitrarily large number of bad guesses by interspersing them between good guesses made by the legitimate password owner.[25] Attackers may conversely use knowledge of this mitigation to implement a denial of service attack against the user by intentionally locking the user out of their own device; this denial of service may open other avenues for the attacker to manipulate the situation to their advantage via social engineering.

Form of stored passwords

Some computer systems store user passwords as plaintext, against which to compare user logon attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.

More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible. The most secure don't store passwords at all, but a one-way derivation, such as a polynomial, modulus, or an advanced hash function.[15] Roger Needham invented the now-common approach of storing only a "hashed" form of the plaintext password.[26][27] When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a cryptographic hash function to a string consisting of the submitted password and, in many implementations, another value known as a salt. A salt prevents attackers from easily building a list of hash values for common passwords and prevents password cracking efforts from scaling across all users.[28] MD5 and SHA1 are frequently used cryptographic hash functions, but they are not recommended for password hashing unless they are used as part of a larger construction such as in PBKDF2.[29]

The stored data—sometimes called the "password verifier" or the "password hash"—is often stored in Modular Crypt Format or RFC 2307 hash format, sometimes in the /etc/passwd file or the /etc/shadow file.[30]

The main storage methods for passwords are plain text, hashed, hashed and salted, and reversibly encrypted.[31] If an attacker gains access to the password file, then if it is stored as plain text, no cracking is necessary. If it is hashed but not salted then it is vulnerable to rainbow table attacks (which are more efficient than cracking). If it is reversibly encrypted then if the attacker gets the decryption key along with the file no cracking is necessary, while if he fails to get the key cracking is not possible. Thus, of the common storage formats for passwords only when passwords have been salted and hashed is cracking both necessary and possible.[31]

If a cryptographic hash function is well designed, it is computationally infeasible to reverse the function to recover a plaintext password. An attacker can, however, use widely available tools to attempt to guess the passwords. These tools work by hashing possible passwords and comparing the result of each guess to the actual password hashes. If the attacker finds a match, they know that their guess is the actual password for the associated user. Password cracking tools can operate by brute force (i.e. trying every possible combination of characters) or by hashing every word from a list; large lists of possible passwords in many languages are widely available on the Internet.[15] The existence of password cracking tools allows attackers to easily recover poorly chosen passwords. In particular, attackers can quickly recover passwords that are short, dictionary words, simple variations on dictionary words, or that use easily guessable patterns.[32] A modified version of the DES algorithm was used as the basis for the password hashing algorithm in early Unix systems.[33] The crypt algorithm used a 12-bit salt value so that each user's hash was unique and iterated the DES algorithm 25 times in order to make the hash function slower, both measures intended to frustrate automated guessing attacks.[33] The user's password was used as a key to encrypt a fixed value. More recent Unix or Unix-like systems (e.g., Linux or the various BSD systems) use more secure password hashing algorithms such as PBKDF2, bcrypt, and scrypt, which have large salts and an adjustable cost or number of iterations.[34] A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed and insecure example.[35]

Methods of verifying a password over a network

Simple transmission of the password

Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried as packeted data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.

Email is sometimes used to distribute passwords but this is generally an insecure method. Since most email is sent as plaintext, a message containing a password is readable without effort during transport by any eavesdropper. Further, the message will be stored as plaintext on at least two computers: the sender's and the recipient's. If it passes through intermediate systems during its travels, it will probably be stored on there as well, at least for some time, and may be copied to backup, cache or history files on any of these systems.

Using client-side encryption will only protect transmission from the mail handling system server to the client machine. Previous or subsequent relays of the email will not be protected and the email will probably be stored on multiple computers, certainly on the originating and receiving computers, most often in clear text.

Transmission through encrypted channels

The risk of interception of passwords sent over the Internet can be reduced by, among other approaches, using cryptographic protection. The most widely used is the Transport Layer Security (TLS, previously called SSL) feature built into most current Internet browsers. Most browsers alert the user of a TLS/SSL-protected exchange with a server by displaying a closed lock icon, or some other sign, when TLS is in use. There are several other techniques in use; see cryptography.

Hash-based challenge–response methods

Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge–response authentication; the latter requires a client to prove to a server that they know what the shared secret (i.e., password) is, and to do this, the server must be able to obtain the shared secret from its stored form. On many systems (including Unix-type systems) doing remote authentication, the shared secret usually becomes the hashed form and has the serious limitation of exposing passwords to offline guessing attacks. In addition, when the hash is used as a shared secret, an attacker does not need the original password to authenticate remotely; they only need the hash.

Zero-knowledge password proofs

Rather than transmitting a password, or transmitting the hash of the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without exposing it.

Moving a step further, augmented systems for password-authenticated key agreement (e.g., AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods. An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the un-hashed password is required to gain access.

Procedures for changing passwords

Usually, a system must provide a way to change a password, either because a user believes the current password has been (or might have been) compromised, or as a precautionary measure. If a new password is passed to the system in unencrypted form, security can be lost (e.g., via wiretapping) before the new password can even be installed in the password database and if the new password is given to a compromised employee, little is gained. Some websites include the user-selected password in an unencrypted confirmation e-mail message, with the obvious increased vulnerability.

Identity management systems are increasingly used to automate the issuance of replacements for lost passwords, a feature called self-service password reset. The user's identity is verified by asking questions and comparing the answers to ones previously stored (i.e., when the account was opened).

Some password reset questions ask for personal information that could be found on social media, such as mother's maiden name. As a result, some security experts recommend either making up one's own questions or giving false answers.[36]

Password longevity

"Password aging" is a feature of some operating systems which forces users to change passwords frequently (e.g., quarterly, monthly or even more often). Such policies usually provoke user protest and foot-dragging at best and hostility at worst. There is often an increase in the number of people who note down the password and leave it where it can easily be found, as well as help desk calls to reset a forgotten password. Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable.[37] Because of these issues, there is some debate as to whether password aging is effective.[38] Changing a password will not prevent abuse in most cases, since the abuse would often be immediately noticeable. However, if someone may have had access to the password through some means, such as sharing a computer or breaching a different site, changing the password limits the window for abuse.[39]

Number of users per password

Allotting separate passwords to each user of a system is preferable to having a single password shared by legitimate users of the system, certainly from a security viewpoint. This is partly because users are more willing to tell another person (who may not be authorized) a shared password than one exclusively for their use. Single passwords are also much less convenient to change because many people need to be told at the same time, and they make removal of a particular user's access more difficult, as for instance on graduation or resignation. Separate logins are also often used for accountability, for example to know who changed a piece of data.

Password security architecture

Common techniques used to improve the security of computer systems protected by a password include:

• Not displaying the password on the display screen as it is being entered or obscuring it as it is typed by using asterisks (*) or bullets (•).
• Allowing passwords of adequate length. (Some legacy operating systems, including early versions[which?] of Unix and Windows, limited passwords to an 8 character maximum,[40][41][42] reducing security.)
• Requiring users to re-enter their password after a period of inactivity (a semi log-off policy).
• Enforcing a password policy to increase password strength and security.
  • Assigning randomly chosen passwords.
  • Requiring minimum password lengths.[29]
  • Some systems require characters from various character classes in a password—for example, "must have at least one uppercase and at least one lowercase letter". However, all-lowercase passwords are more secure per keystroke than mixed capitalization passwords.[43]
  • Employ a password blacklist to block the use of weak, easily guessed passwords
  • Providing an alternative to keyboard entry (e.g., spoken passwords, or biometric identifiers).
  • Requiring more than one authentication system, such as two-factor authentication (something a user has and something the user knows).
• Using encrypted tunnels or password-authenticated key agreement to prevent access to transmitted passwords via network attacks
• Limiting the number of allowed failures within a given time period (to prevent repeated password guessing). After the limit is reached, further attempts will fail (including correct password attempts) until the beginning of the next time period. However, this is vulnerable to a form of denial of service attack.
• Introducing a delay between password submission attempts to slow down automated password guessing programs.

Some of the more stringent policy enforcement measures can pose a risk of alienating users, possibly decreasing security as a result.

Password reuse

It is common practice amongst computer users to reuse the same password on multiple sites. This presents a substantial security risk, because an attacker needs to only compromise a single site in order to gain access to other sites the victim uses. This problem is exacerbated by also reusing usernames, and by websites requiring email logins, as it makes it easier for an attacker to track a single user across multiple sites. Password reuse can be avoided or minimized by using mnemonic techniques, writing passwords down on paper, or using a password manager.[44]

It has been argued by Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, that password reuse is inevitable, and that users should reuse passwords for low-security websites (which contain little personal data and no financial information, for example) and instead focus their efforts on remembering long, complex passwords for a few important accounts, such as bank accounts.[45] Similar arguments were made by Forbes in not change passwords as often as many "experts" advise, due to the same limitations in human memory.[37]

Writing down passwords on paper

Historically, many security experts asked people to memorize their passwords: "Never write down a password". More recently, many security experts such as Bruce Schneier recommend that people use passwords that are too complicated to memorize, write them down on paper, and keep them in a wallet.[46][47][48][49][50][51][52]

Password manager software can also store passwords relatively safely, in an encrypted file sealed with a single master password.

After death

According to a survey by the University of London, one in ten people are now leaving their passwords in their wills to pass on this important information when they die. One-third of people, according to the poll, agree that their password-protected data is important enough to pass on in their will.[53]

Multi-factor authentication

Main article: Multi-factor authentication

Multi-factor authentication schemes combine passwords (as "knowledge factors") with one or more other means of authentication, to make authentication more secure and less vulnerable to compromised passwords. For example, a simple two-factor login might send a text message, e-mail, automated phone call, or similar alert whenever a login attempt is made, possibly supplying a code that must be entered in addition to a password.[54] More sophisticated factors include such things as hardware tokens and biometric security.

Password rules

Further information: Password policy

Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g., upper and lower case, numbers, and special characters), prohibited elements (e.g., use of one's own name, date of birth, address, telephone number). Some governments have national authentication frameworks[55] that define requirements for user authentication to government services, including requirements for passwords.

Many websites enforce standard rules such as minimum and maximum length, but also frequently include composition rules such as featuring at least one capital letter and at least one number/symbol. These latter, more specific rules were largely based on a 2003 report by the National Institute of Standards and Technology (NIST), authored by Bill Burr.[56] It originally proposed the practice of using numbers, obscure characters and capital letters and updating regularly. In a 2017 Wall Street Journal article, Burr reported he regrets these proposals and made a mistake when he recommended them.[57]

According to a 2017 rewrite of this NIST report, many websites have rules that actually have the opposite effect on the security of their users. This includes complex composition rules as well as forced password changes after certain periods of time. While these rules have long been widespread, they have also long been seen as annoying and ineffective by both users and cyber-security experts.[58] The NIST recommends people use longer phrases as passwords (and advises websites to raise the maximum password length) instead of hard-to-remember passwords with "illusory complexity" such as "pA55w+rd".[59] A user prevented from using the password "password" may simply choose "Password1" if required to include a number and uppercase letter. Combined with forced periodic password changes, this can lead to passwords that are difficult to remember but easy to crack.[56]

Paul Grassi, one of the 2017 NIST report's authors, further elaborated: "Everyone knows that an exclamation point is a 1, or an I, or the last character of a password. $ is an S or a 5. If we use these well-known tricks, we aren’t fooling any adversary. We are simply fooling the database that stores passwords into thinking the user did something good."[58]

Pieris Tsokkis and Eliana Stavrou were able to identify some bad password construction strategies through their research and development of a password generator tool. They came up with eight categories of password construction strategies based on exposed password lists, password cracking tools, and online reports citing the most used passwords. These categories include user-related information, keyboard combinations and patterns, placement strategy, word processing, substitution, capitalization, append dates, and a combination of the previous categories[60]

Password cracking

Main article: Password cracking

Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.

Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or 'hardness' in terms of entropy.[15]

Passwords easily discovered are termed weak or vulnerable; passwords very difficult or impossible to discover are considered strong. There are several programs available for password attack (or even auditing and recovery by systems personnel) such as L0phtCrack, John the Ripper, and Cain; some of which use password design vulnerabilities (as found in the Microsoft LANManager system) to increase efficiency. These programs are sometimes used by system administrators to detect weak passwords proposed by users.

Studies of production computer systems have consistently shown that a large fraction of all user-chosen passwords are readily guessed automatically. For example, Columbia University found 22% of user passwords could be recovered with little effort.[61] According to Bruce Schneier, examining data from a 2006 phishing attack, 55% of MySpace passwords would be crackable in 8 hours using a commercially available Password Recovery Toolkit capable of testing 200,000 passwords per second in 2006.[62] He also reported that the single most common password was password1, confirming yet again the general lack of informed care in choosing passwords among users. (He nevertheless maintained, based on these data, that the general quality of passwords has improved over the years—for example, average length was up to eight characters from under seven in previous surveys, and less than 4% were dictionary words.[63])

Incidents

• On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. At the time the attacker was discovered, 47,642 passwords had already been cracked.[64]
• In September 2001, after the deaths of 960 New York employees in the September 11 attacks, financial services firm Cantor Fitzgerald through Microsoft broke the passwords of deceased employees to gain access to files needed for servicing client accounts.[65] Technicians used brute-force attacks, and interviewers contacted families to gather personalized information that might reduce the search time for weaker passwords.[65]
• In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The hacker then leaked the full list of the 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in cleartext in the database and were extracted through a SQL injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords.[66]
• In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data was leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.[67]
• On July 11, 2011, Booz Allen Hamilton, a consulting firm that does work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. "The leak, dubbed 'Military Meltdown Monday,' includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors."[68] These leaked passwords wound up being hashed in SHA1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.[69]

Alternatives to passwords for authentication

The numerous ways in which permanent or semi-permanent passwords can be compromised has prompted the development of other techniques. Unfortunately, some are inadequate in practice, and in any case few have become universally available for users seeking a more secure alternative.[70] A 2012 paper[71] examines why passwords have proved so hard to supplant (despite numerous predictions that they would soon be a thing of the past[72]); in examining thirty representative proposed replacements with respect to security, usability and deployability they conclude "none even retains the full set of benefits that legacy passwords already provide."

• Single-use passwords. Having passwords that are only valid once makes many potential attacks ineffective. Most users find single-use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as Transaction Authentication Numbers (TANs). As most home users only perform a small number of transactions each week, the single-use issue has not led to intolerable customer dissatisfaction in this case.
• Time-synchronized one-time passwords are similar in some ways to single-use passwords, but the value to be entered is displayed on a small (generally pocketable) item and changes every minute or so.
• PassWindow one-time passwords are used as single-use passwords, but the dynamic characters to be entered are visible only when a user superimposes a unique printed visual key over a server-generated challenge image shown on the user's screen.
• Access controls based on public-key cryptography e.g. ssh. The necessary keys are usually too large to memorize (but see proposal Passmaze)[73] and must be stored on a local computer, security token or portable memory device, such as a USB flash drive or even floppy disk. The private key may be stored on a cloud service provider, and activated by the use of a password or two-factor authentication.
• Biometric methods promise authentication based on unalterable personal characteristics, but currently (2008) have high error rates and require additional hardware to scan,[needs update] for example, fingerprints, irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems, for example, the gummie fingerprint spoof demonstration,[74] and, because these characteristics are unalterable, they cannot be changed if compromised; this is a highly important consideration in access control as a compromised access token is necessarily insecure.
• Single sign-on technology is claimed to eliminate the need for having multiple passwords. Such schemes do not relieve users and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed.
• Envaulting technology is a password-free way to secure data on removable storage devices such as USB flash drives. Instead of user passwords, access control is based on the user's access to a network resource.
• Non-text-based passwords, such as graphical passwords or mouse-movement based passwords.[75] Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they use images, graphics or colours instead of letters, digits or special characters. One system requires users to select a series of faces as a password, utilizing the human brain's ability to recall faces easily.[76] In some implementations the user is required to pick from a series of images in the correct sequence in order to gain access.[77] Another graphical password solution creates a one-time password using a randomly generated grid of images. Each time the user is required to authenticate, they look for the images that fit their pre-chosen categories and enter the randomly generated alphanumeric character that appears in the image to form the one-time password.[78][79] So far, graphical passwords are promising, but are not widely used. Studies on this subject have been made to determine its usability in the real world. While some believe that graphical passwords would be harder to crack, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.[citation needed]
• 2D Key (2-Dimensional Key)[80] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)[81] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key.
• Cognitive passwords use question and answer cue/response pairs to verify identity.

"The password is dead"

"The password is dead" is a recurring idea in computer security. The reasons given often include reference to the usability as well as security problems of passwords. It often accompanies arguments that the replacement of passwords by a more secure means of authentication is both necessary and imminent. This claim has been made by numerous people at least since 2004.[72][82][83][84][85][86][87][88]

Alternatives to passwords include biometrics, two-factor authentication or single sign-on, Microsoft's Cardspace, the Higgins project, the Liberty Alliance, NSTIC, the FIDO Alliance and various Identity 2.0 proposals.[89][90]

However, in spite of these predictions and efforts to replace them passwords are still the dominant form of authentication on the web. In "The Persistence of Passwords," Cormac Herley and Paul van Oorschot suggest that every effort should be made to end the "spectacularly incorrect assumption" that passwords are dead.[91] They argue that "no other single technology matches their combination of cost, immediacy and convenience" and that "passwords are themselves the best fit for many of the scenarios in which they are currently used."

Following this, Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security.[92][93] Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while every scheme does worse than passwords on deployability. The authors conclude with the following observation: "Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery."

See also

• Access code (disambiguation)
• Authentication
• CAPTCHA
• Cognitive science
• Combination lock
• Diceware
• Electronic lock
• Kerberos (protocol)
• Keyfile
• Passphrase
• Password cracking
• Password fatigue
• Password length parameter
• Password manager
• Password notification e-mail
• Password policy
• Password psychology
• Password strength
• Password synchronization
• Password-authenticated key agreement
• Personal identification number
• Pre-shared key
• Rainbow table
• Random password generator
• Secure Password Sharing
• Self-service password reset
• Shibboleth
• Usability of web authentication systems

References

1. ^ a b "passcode". YourDictionary. Retrieved 17 May 2019.
2. ^ Ranjan, Pratik; Om, Hari (2016-05-06). "An Efficient Remote User Password Authentication Scheme based on Rabin's Cryptosystem". Wireless Personal Communications. 90 (1): 217–244. doi:10.1007/s11277-016-3342-5. ISSN 0929-6212. S2CID 21912076.
3. ^ a b Williams, Shannon (21 Oct 2020). "Average person has 100 passwords - study". NordPass. Retrieved April 28, 2021.
4. ^ a b Grassi, Paul A.; Garcia, Michael E.; Fenton, James L. (June 2017). "NIST Special Publication 800-63-3: Digital Identity Guidelines". National Institute of Standards and Technology (NIST). doi:10.6028/NIST.SP.800-63-3. Retrieved 17 May 2019. {{cite journal}}: Cite journal requires |journal= (help)
5. ^ "authentication protocol". Computer Security Resource Center (NIST). Archived from the original on 17 May 2019. Retrieved 17 May 2019.
6. ^ "Passphrase". Computer Security Resource Center (NIST). Retrieved 17 May 2019.
7. ^ Polybius on the Roman Military Archived 2008-02-07 at the Wayback Machine. Ancienthistory.about.com (2012-04-13). Retrieved on 2012-05-20.
8. ^ Mark Bando (2007). 101st Airborne: The Screaming Eagles in World War II. Mbi Publishing Company. ISBN 978-0-7603-2984-9. Archived from the original on 2 June 2013. Retrieved 20 May 2012.
9. ^ McMillan, Robert (27 January 2012). "The World's First Computer Password? It Was Useless Too". Wired magazine. Retrieved 22 March 2019.
10. ^ Hunt, Troy (26 July 2017). "Passwords Evolved: Authentication Guidance for the Modern Era". Retrieved 22 March 2019.
11. ^ CTSS Programmers Guide, 2nd Ed., MIT Press, 1965
12. ^ Morris, Robert; Thompson, Ken (1978-04-03). "Password Security: A Case History". Bell Laboratories. CiteSeerX 10.1.1.128.1635.
13. ^ Vance, Ashlee (2010-01-10). "If Your Password Is 123456, Just Make It HackMe". The New York Times. Archived from the original on 2017-02-11.
14. ^ "Managing Network Security". Archived from the original on March 2, 2008. Retrieved 2009-03-31.{{cite web}}: CS1 maint: bot: original URL status unknown (link). Fred Cohen and Associates. All.net. Retrieved on 2012-05-20.
15. ^ a b c d Lundin, Leigh (2013-08-11). "PINs and Passwords, Part 2". Passwords. Orlando: SleuthSayers.
16. ^ The Memorability and Security of Passwords Archived 2012-04-14 at the Wayback Machine (pdf). ncl.ac.uk. Retrieved on 2012-05-20.
17. ^ Michael E. Whitman; Herbert J. Mattord (2014). Principles of Information Security. Cengage Learning. p. 162. ISBN 978-1-305-17673-7.
18. ^ "How to Create a Random Password Generator". PCMAG. Retrieved 2021-09-05.
19. ^ Lewis, Dave (2011). Ctrl-Alt-Delete. p. 17. ISBN 978-1471019111. Retrieved 10 July 2015.
20. ^ Techlicious / Fox Van Allen @techlicious (2013-08-08). "Google Reveals the 10 Worst Password Ideas | TIME.com". Techland.time.com. Archived from the original on 2013-10-22. Retrieved 2013-10-16.
21. ^ Fleishman, Glenn (November 24, 2015). "Write your passwords down to improve safety — A counter-intuitive notion leaves you less vulnerable to remote attack, not more". MacWorld. Retrieved April 28, 2021.
22. ^ a b Lyquix Blog: Do We Need to Hide Passwords? Archived 2012-04-25 at the Wayback Machine. Lyquix.com. Retrieved on 2012-05-20.
23. ^ Jonathan Kent Malaysia car thieves steal finger Archived 2010-11-20 at the Wayback Machine. BBC (2005-03-31)
24. ^ Stuart Brown "Top ten passwords used in the United Kingdom". Archived from the original on November 8, 2006. Retrieved 2007-08-14.. Modernlifeisrubbish.co.uk (2006-05-26). Retrieved on 2012-05-20.
25. ^ US patent 8046827 
26. ^ Wilkes, M. V. Time-Sharing Computer Systems. American Elsevier, New York, (1968).
27. ^ Schofield, Jack (10 March 2003). "Roger Needham". The Guardian.
28. ^ The Bug Charmer: Passwords Matter Archived 2013-11-02 at the Wayback Machine. Bugcharmer.blogspot.com (2012-06-20). Retrieved on 2013-07-30.
29. ^ a b Alexander, Steven. (2012-06-20) The Bug Charmer: How long should passwords be? Archived 2012-09-20 at the Wayback Machine. Bugcharmer.blogspot.com. Retrieved on 2013-07-30.
30. ^ "passlib.hash - Password Hashing Schemes" Archived 2013-07-21 at the Wayback Machine.
31. ^ a b Florencio et al., An Administrator's Guide to Internet Password Research Archived 2015-02-14 at the Wayback Machine. (pdf) Retrieved on 2015-03-14.
32. ^ Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords « Thireus' Bl0g Archived 2012-08-30 at the Wayback Machine. Blog.thireus.com (2012-08-29). Retrieved on 2013-07-30.
33. ^ a b Morris, Robert & Thompson, Ken (1979). "Password Security: A Case History". Communications of the ACM. 22 (11): 594–597. CiteSeerX 10.1.1.135.2097. doi:10.1145/359168.359172. S2CID 207656012. Archived from the original on 2003-03-22.
34. ^ Password Protection for Modern Operating Systems Archived 2016-03-11 at the Wayback Machine (pdf). Usenix.org. Retrieved on 2012-05-20.
35. ^ How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases Archived 2006-05-09 at the Wayback Machine. support.microsoft.com (2007-12-03). Retrieved on 2012-05-20.
36. ^ "Why You Should Lie When Setting Up Password Security Questions". Techlicious. 2013-03-08. Archived from the original on 2013-10-23. Retrieved 2013-10-16.
37. ^ a b Joseph Steinberg (12 November 2014). "Forbes: Why You Should Ignore Everything You Have Been Told About Choosing Passwords". Forbes. Archived from the original on 12 November 2014. Retrieved 12 November 2014.
38. ^ "The problems with forcing regular password expiry". IA Matters. CESG: the Information Security Arm of GCHQ. 15 April 2016. Archived from the original on 17 August 2016. Retrieved 5 Aug 2016.
39. ^ Schneier on Security discussion on changing passwords Archived 2010-12-30 at the Wayback Machine. Schneier.com. Retrieved on 2012-05-20.
40. ^ Seltzer, Larry. (2010-02-09) "American Express: Strong Credit, Weak Passwords" Archived 2017-07-12 at the Wayback Machine. Pcmag.com. Retrieved on 2012-05-20.
41. ^ "Ten Windows Password Myths" Archived 2016-01-28 at the Wayback Machine: "NT dialog boxes ... limited passwords to a maximum of 14 characters"
42. ^ "You must provide a password between 1 and 8 characters in length". Jira.codehaus.org. Retrieved on 2012-05-20. Archived May 21, 2015, at the Wayback Machine
43. ^ "To Capitalize or Not to Capitalize?" Archived 2009-02-17 at the Wayback Machine. World.std.com. Retrieved on 2012-05-20.
44. ^ Thomas, Keir (February 10, 2011). "Password Reuse Is All Too Common, Research Shows". PC World. Archived from the original on August 12, 2014. Retrieved August 10, 2014.
45. ^ Pauli, Darren (16 July 2014). "Microsoft: You NEED bad passwords and should re-use them a lot". The Register. Archived from the original on 12 August 2014. Retrieved 10 August 2014.
46. ^ Bruce Schneier : Crypto-Gram Newsletter Archived 2011-11-15 at the Wayback Machine May 15, 2001
47. ^ "Ten Windows Password Myths" Archived 2016-01-28 at the Wayback Machine: Myth #7. You Should Never Write Down Your Password
48. ^ Kotadia, Munir (2005-05-23) Microsoft security guru: Jot down your passwords. News.cnet.com. Retrieved on 2012-05-20.
49. ^ "The Strong Password Dilemma" Archived 2010-07-18 at the Wayback Machine by Richard E. Smith: "we can summarize classical password selection rules as follows: The password must be impossible to remember and never written down."
50. ^ Bob Jenkins (2013-01-11). "Choosing Random Passwords". Archived from the original on 2010-09-18.
51. ^ "The Memorability and Security of Passwords – Some Empirical Results" Archived 2011-02-19 at the Wayback Machine (pdf) "your password ... in a secure place, such as the back of your wallet or purse."
52. ^ "Should I write down my passphrase?" Archived 2009-02-17 at the Wayback Machine. World.std.com. Retrieved on 2012-05-20.
53. ^ Jaffery, Saman M. (17 October 2011). "Survey: 11% of Brits Include Internet Passwords in Will". Hull & Hull LLP. Archived from the original on 25 December 2011. Retrieved 16 July 2012.
54. ^ Two-factor authentication Archived 2016-06-18 at the Wayback Machine
55. ^ Improving Usability of Password Management with Standardized Password Policies Archived 2013-06-20 at the Wayback Machine (pdf). Retrieved on 2012-10-12.
56. ^ a b Hate silly password rules? So does the guy who created them Archived 2018-03-29 at the Wayback Machine, ZDNet
57. ^ The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d! Archived 2017-08-09 at the Wayback Machine, Wall Street Journal
58. ^ a b Experts Say We Can Finally Ditch Those Stupid Password Rules Archived 2018-06-28 at the Wayback Machine, Fortune
59. ^ NIST’s new password rules – what you need to know Archived 2018-06-28 at the Wayback Machine, Naked Security
60. ^ P. Tsokkis and E. Stavrou, "A password generator tool to increase users' awareness on bad password construction strategies," 2018 International Symposium on Networks, Computers and Communications (ISNCC), Rome, 2018, pp. 1-5, doi:10.1109/ISNCC.2018.8531061.
61. ^ "Password". Archived from the original on April 23, 2007. Retrieved 2012-05-20.{{cite web}}: CS1 maint: bot: original URL status unknown (link). cs.columbia.edu
62. ^ Schneier, Real-World Passwords Archived 2008-09-23 at the Wayback Machine. Schneier.com. Retrieved on 2012-05-20.
63. ^ MySpace Passwords Aren't So Dumb Archived 2014-03-29 at the Wayback Machine. Wired.com (2006-10-27). Retrieved on 2012-05-20.
64. ^ "CERT IN-98.03". 1998-07-16. Retrieved 2009-09-09.
65. ^ a b Urbina, Ian; Davis, Leslye (November 23, 2014). "The Secret Life of Passwords". The New York Times. Archived from the original on November 28, 2014.
66. ^ "Consumer Password Worst Practices (pdf)" (PDF). Archived (PDF) from the original on 2011-07-28.
67. ^ "NATO site hacked". The Register. 2011-06-24. Archived from the original on June 29, 2011. Retrieved July 24, 2011.
68. ^ "Anonymous Leaks 90,000 Military Email Accounts in Latest Antisec Attack". 2011-07-11. Archived from the original on 2017-07-14.
69. ^ "Military Password Analysis". 2011-07-12. Archived from the original on 2011-07-15.
70. ^ "The top 12 password-cracking techniques used by hackers". IT PRO. Retrieved 2022-07-18.
71. ^ "The Quest to Replace Passwords (pdf)" (PDF). IEEE. 2012-05-15. Archived (PDF) from the original on 2015-03-19. Retrieved 2015-03-11.
72. ^ a b "Gates predicts death of the password". CNET. 2004-02-25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
73. ^ Cryptology ePrint Archive: Report 2005/434 Archived 2006-06-14 at the Wayback Machine. eprint.iacr.org. Retrieved on 2012-05-20.
74. ^ T Matsumoto. H Matsumotot; K Yamada & S Hoshino (2002). "Impact of artificial 'Gummy' Fingers on Fingerprint Systems". Proc SPIE. Optical Security and Counterfeit Deterrence Techniques IV. 4677: 275. Bibcode:2002SPIE.4677..275M. doi:10.1117/12.462719. S2CID 16897825.
75. ^ Using AJAX for Image Passwords – AJAX Security Part 1 of 3 Archived 2006-06-16 at the Wayback Machine. waelchatila.com (2005-09-18). Retrieved on 2012-05-20.
76. ^ Butler, Rick A. (2004-12-21) Face in the Crowd Archived 2006-06-27 at the Wayback Machine. mcpmag.com. Retrieved on 2012-05-20.
77. ^ graphical password or graphical user authentication (GUA) Archived 2009-02-21 at the Wayback Machine. searchsecurity.techtarget.com. Retrieved on 2012-05-20.
78. ^ Ericka Chickowski (2010-11-03). "Images Could Change the Authentication Picture". Dark Reading. Archived from the original on 2010-11-10.
79. ^ "Confident Technologies Delivers Image-Based, Multifactor Authentication to Strengthen Passwords on Public-Facing Websites". 2010-10-28. Archived from the original on 2010-11-07.
80. ^ User Manual for 2-Dimensional Key (2D Key) Input Method and System Archived 2011-07-18 at the Wayback Machine. xpreeli.com. (2008-09-08) . Retrieved on 2012-05-20.
81. ^ Kok-Wah Lee "Methods and Systems to Create Big Memorizable Secrets and Their Applications" Patent US20110055585 Archived 2015-04-13 at the Wayback Machine, WO2010010430. Filing date: December 18, 2008
82. ^ Kotadia, Munir (25 February 2004). "Gates predicts death of the password". ZDNet. Retrieved 8 May 2019.
83. ^ "IBM Reveals Five Innovations That Will Change Our Lives within Five Years". IBM. 2011-12-19. Archived from the original on 2015-03-17. Retrieved 2015-03-14.
84. ^ Honan, Mat (2012-05-15). "Kill the Password: Why a String of Characters Can't Protect Us Anymore". Wired. Archived from the original on 2015-03-16. Retrieved 2015-03-14.
85. ^ "Google security exec: 'Passwords are dead'". CNET. 2004-02-25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
86. ^ "Authentciation at Scale". IEEE. 2013-01-25. Archived from the original on 2015-04-02. Retrieved 2015-03-12.
87. ^ Mims, Christopher (2014-07-14). "The Password Is Finally Dying. Here's Mine". Wall Street Journal. Archived from the original on 2015-03-13. Retrieved 2015-03-14.
88. ^ "Russian credential theft shows why the password is dead". Computer World. 2014-08-14. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
89. ^ "NSTIC head Jeremy Grant wants to kill passwords". Fedscoop. 2014-09-14. Archived from the original on 2015-03-18. Retrieved 2015-03-14.
90. ^ "Specifications Overview". FIDO Alliance. 2014-02-25. Archived from the original on 2015-03-15. Retrieved 2015-03-15.
91. ^ "A Research Agenda Acknowledging the Persistence of Passwords". IEEE Security&Privacy. Jan 2012. Archived from the original on 2015-06-20. Retrieved 2015-06-20.
92. ^ Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". Technical Report - University of Cambridge. Computer Laboratory. Cambridge, UK: University of Cambridge Computer Laboratory. doi:10.48456/tr-817. ISSN 1476-2986. Retrieved 22 March 2019.
93. ^ Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". 2012 IEEE Symposium on Security and Privacy. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567. doi:10.1109/SP.2012.44. ISBN 978-1-4673-1244-8.

External links

• Graphical Passwords: A Survey
• Large list of commonly used passwords
• Large collection of statistics about passwords
• Research Papers on Password-based Cryptography
• The international passwords conference
• Procedural Advice for Organisations and Administrators (PDF)
• Centre for Security, Communications and Network Research, University of Plymouth (PDF)
• 2017 draft update to NIST password standards for the U.S. federal government

Retrieved from "https://en.wikipedia.org/w/index.php?title=Password&oldid=1124632660"

Page 2

Type of matrix barcode

A QR code (an initialism for quick response code) is a type of matrix barcode (or two-dimensional barcode)[1][2] invented in 1994 by the Japanese company Denso Wave. A barcode is a machine-readable optical label that can contain information about the item to which it is attached. In practice, QR codes often contain data for a locator, identifier, or tracker that points to a website or application. QR codes use four standardized encoding modes (numeric, alphanumeric, byte/binary, and kanji) to store data efficiently; extensions may also be used.[3]

The quick response system became popular outside the automotive industry due to its fast readability and greater storage capacity compared to standard UPC barcodes. Applications include product tracking, item identification, time tracking, document management, and general marketing.[4]

A QR code consists of black squares arranged in a square grid on a white background, including some fiducial markers, which can be read by an imaging device such as a camera, and processed using Reed–Solomon error correction until the image can be appropriately interpreted. The required data is then extracted from patterns that are present in both horizontal and vertical components of the image.[4]

History

This section needs expansion. You can help by adding to it. (October 2021)

The QR code system was invented in 1994 by Masahiro Hara from the Japanese company Denso Wave.[5][6][7] The initial design was influenced by the black and white pieces on a Go board.[8] Its purpose was to keep track of automotive parts manufactured by Denso, to replace several bar codes on each box, each of which had to be scanned separately.[9]

Adoption

QR codes are now used in a much broader context, including both commercial tracking applications and convenience-oriented applications aimed at mobile-phone users (termed mobile tagging). QR codes may be used to display text to the user, to open a webpage on the user's device, to add a vCard contact to the user's device, to open a Uniform Resource Identifier (URI), to connect to a wireless network, or to compose an email or text message. There are a great many QR code generators available as software or as online tools that are either free, or require a paid subscription.[10] The QR code has become one of the most-used types of two-dimensional code.[11]

During the month of June 2011, 14 million American mobile users scanned a QR code or a barcode. Some 58% of those users scanned a QR or barcode from their homes, while 39% scanned from retail stores; 53% of the 14 million users were men between the ages of 18 and 34.[12]

In September 2020, a survey found that 18.8 percent of consumers in the United States and United Kingdom strongly agreed that they had noticed an increase of QR code use since the then-active COVID-19 related restrictions had begun several months prior.[13]

Standards

There are several standards that cover the encoding of data as QR codes:[14]

• October 1997 – AIM (Association for Automatic Identification and Mobility) International[15]
• January 1999 – JIS X 0510
• June 2000 – ISO/IEC 18004:2000 Information technology – Automatic identification and data capture techniques – Bar code symbology – QR code (now withdrawn)
  Defines QR code models 1 and 2 symbols.
• 1 September 2006 – ISO/IEC 18004:2006 Information technology – Automatic identification and data capture techniques – QR code 2005 bar code symbology specification (now withdrawn)[16]
  Defines QR code 2005 symbols, an extension of QR code model 2. Does not specify how to read QR code model 1 symbols, or require this for compliance.
• 1 February 2015 – ISO/IEC 18004:2015 Information – Automatic identification and data capture techniques – QR Code barcode symbology specification
  Renames the QR Code 2005 symbol to QR Code and adds clarification to some procedures and minor corrections.

At the application layer, there is some variation between most of the implementations. Japan's NTT DoCoMo has established de facto standards for the encoding of URLs, contact information, and several other data types.[17] The open-source "ZXing" project maintains a list of QR code data types.[18]

Uses

QR codes have become common in consumer advertising. Typically, a smartphone is used as a QR code scanner, displaying the code and converting it to some useful form (such as a standard URL for a website, thereby obviating the need for a user to type it into a web browser). QR code has become a focus of advertising strategy, since it provides a way to access a brand's website more quickly than by manually entering a URL.[19][20] Beyond mere convenience to the consumer, the importance of this capability is that it increases the conversion rate: the chance that contact with the advertisement will convert to a sale. It coaxes interested prospects further down the conversion funnel with little delay or effort, bringing the viewer to the advertiser's website immediately, whereas a longer and more targeted sales pitch may lose the viewer's interest.

Although initially used to track parts in vehicle manufacturing, QR codes are used over a much wider range of applications. These include commercial tracking, entertainment and transport ticketing, product and loyalty marketing and in-store product labeling. Examples of marketing include where a company's discounted and percent discount can be captured using a QR code decoder which is a mobile app, or storing a company's information such as address and related information alongside its alpha-numeric text data as can be seen in Yellow Pages directories.

They can also be used in storing personal information for use by organizations. An example of this is Philippines National Bureau of Investigation (NBI) where NBI clearances now come with a QR code. Many of these applications target mobile-phone users (via mobile tagging). Users may receive text, add a vCard contact to their device, open a URL, or compose an e-mail or text message after scanning QR codes. They can generate and print their own QR codes for others to scan and use by visiting one of several pay or free QR code-generating sites or apps. Google had an API, now deprecated, to generate QR codes,[21] and apps for scanning QR codes can be found on nearly all smartphone devices.[22]

QR codes storing addresses and URLs may appear in magazines, on signs, on buses, on business cards, or on almost any object about which users might want information. Users with a camera phone equipped with the correct reader application can scan the image of the QR code to display text, contact information, connect to a wireless network, or open a web page in the phone's browser. This act of linking from physical world objects is termed hardlinking or object hyperlinking. QR codes also may be linked to a location to track where a code has been scanned. Either the application that scans the QR code retrieves the geo information by using GPS and cell tower triangulation (aGPS) or the URL encoded in the QR code itself is associated with a location. In 2008, a Japanese stonemason announced plans to engrave QR codes on gravestones, allowing visitors to view information about the deceased, and family members to keep track of visits.[24] Psychologist Richard Wiseman was one of the first authors to include QR codes in a book, in Paranormality: Why We See What Isn't There (2011).[25][failed verification]

QR codes have been incorporated into currency. In June 2011, The Royal Dutch Mint (Koninklijke Nederlandse Munt) issued the world's first official coin with a QR code to celebrate the centenary of its current building and premises. The coin can be scanned by a smartphone and originally linked to a special website with contents about the historical event and design of the coin.[26] In 2014, the Central Bank of Nigeria issued a 100-naira banknote to commemorate its centennial, the first banknote to incorporate a QR code in its design. When scanned with an internet-enabled mobile device, the code goes to a website which tells the centenary story of Nigeria.[27] In 2015, the Central Bank of the Russian Federation issued a 100-rubles note to commemorate the annexation of Crimea by the Russian Federation. It contains a QR code into its design, and when scanned with an internet-enabled mobile device, the code goes to a website that details the historical and technical background of the commemorative note. In 2017, the Bank of Ghana issued a 5-cedis banknote to commemorate 60 years of Central Banking in Ghana, and contains a QR code in its design, which when scanned with an internet-enabled mobile device, that code goes to the official Bank of Ghana website.

Credit card functionality is under development. In September 2016, the Reserve Bank of India (RBI) launched the eponymously named Bharat QR, a common QR code jointly developed by all the four major card payment companies – National Payments Corporation of India that runs RuPay cards along with MasterCard, Visa and American Express. It will also have the capability of accepting payments on the unified payments interface (UPI) platform.[28][29]

Augmented reality

QR codes are used in some augmented reality systems to determine the positions of objects in 3-dimensional space.[9]

Displaying multimedia contents

QR codes also used to direct users to specific multimedia content (such as videos, audios, images, documents and any type of content accessible from the web). This type of QR code is called "Multimedia QR code".

Mobile operating systems

QR codes can be used on various mobile device operating systems. iPhones running on iOS 11 and higher[30] and some Android devices can natively scan QR codes without downloading an external app.[31] The camera app is able to scan and display the kind of QR code (only on iPhone) along with the link (both on Android and iPhone). These devices support URL redirection, which allows QR codes to send metadata to existing applications on the device. Many paid or free apps are available with the ability to scan the codes and hard-link to an external URL.

Virtual stores

QR codes have been used to establish "virtual stores", where a gallery of product information and QR codes is presented to the customer, e.g. on a train station wall. The customers scan the QR codes, and the products are delivered to their homes. This use started in South Korea,[32] and Argentina,[33] but is currently expanding globally.[34] Walmart, Procter & Gamble and Woolworths have already adopted the Virtual Store concept.[35]

QR code payment

Main article: QR code payment

QR codes can be used to store bank account information or credit card information, or they can be specifically designed to work with particular payment provider applications. There are several trial applications of QR code payments across the world.[36][37] In developing countries like China,[38][39] India[40] and Bangladesh QR code payment is a very popular and convenient method of making payments. Since Alipay designed a QR code payment method in 2011,[41] mobile payment has been quickly adopted in China. As of 2018, around 83% of all payments were made via mobile payment.[42]

In November 2012, QR code payments were deployed on a larger scale in the Czech Republic when an open format for payment information exchange – a Short Payment Descriptor – was introduced and endorsed by the Czech Banking Association as the official local solution for QR payments.[43][44] In 2013, the European Payment Council provided guidelines for the EPC QR code enabling SCT initiation within the Eurozone.

In 2017, Singapore created a taskforce including their Government Agencies such as the Monetary Authority of Singapore and Infocomm Media Development Authority to spearhead a system for e-payments using standardized QR code specifications. These specific dimensions are specialized for Singapore’s market.[45]

The e-payment system, Singapore Quick Response Code (SGQR), essentially merges various QR codes into one label which can be used by both parties in the payment system. This allows for various banking apps to facilitate payments between multiple customers and a merchant that displays the single QR code.[46]

A single SDQR label contains e-payments and combines multiple payment options. Once consumers spot the SGQR label, they will be able to scan it and see which payment options the merchant accepts.  The SGQR scheme is co-owned by MAS and IMDA. [47]

Website login

QR codes can be used to log into websites: a QR code is shown on the login page on a computer screen, and when a registered user scans it with a verified smartphone, they will automatically be logged in. Authentication is performed by the smartphone which contacts the server. Google tested such a login method in January 2012.[48]

Mobile ticket

There is a system whereby a QR code can be displayed on a device such as a smartphone and used as an admission ticket.[49][50][51] Its use is common for J1 League and Nippon Professional Baseball tickets in Japan.[52][53] In some cases, rights can be transferred via the Internet.

Restaurant ordering

Restaurants can present a QR code near the front door or at the table allowing guests to view an online menu, or even redirect them to an online ordering website or app, allowing them to order and/or possibly pay for their meal without having to use a cashier or waiter. QR codes can also link to daily or weekly specials that are not printed on the standardized menus,[54] and enable the establishment to update the entire menu without needing to print copies. At table-serve restaurants, QR codes enable guests to order and pay for their meals without a waiter involved – the QR code contains the table number so servers know where to bring the food.[55][56] This application has grown especially since the need for social distancing during the 2020 COVID-19 pandemic prompted reduced contact between service staff and customers.[55]

Joining a Wi‑Fi network

By specifying the SSID, encryption type, password/passphrase, and if the SSID is hidden or not, mobile device users can quickly scan and join networks without having to manually enter the data.[57] A MeCard-like format is supported by Android and iOS 11+.[58]

• Common format: WIFI:S:<SSID>;T:<WEP|WPA|blank>;P:<PASSWORD>;H:<true|false|blank>;;
• Sample: WIFI:S:MySSID;T:WPA;P:MyPassW0rd;;

Funerary use

A QR code can link to an obituary and can be placed on a headstone. In 2008, Ishinokoe in Yamanashi Prefecture, Japan began to sell tombstones with QR codes produced by IT DeSign, where the code leads to a virtual grave site of the deceased.[59][60][61] Other companies, such as Wisconsin-based Interactive Headstones, have also begun implementing QR codes into tombstones.[62] In 2014, the Jewish Cemetery of La Paz in Uruguay began implementing QR codes for tombstones.[63]

Electronic authentication

QR codes are also used to generate time-based one-time passwords (TOTP) for electronic authentication.

Loyalty programs

QR codes have been used by various retail outlets that have loyalty programs. Sometimes these programs are accessed with an app that is loaded onto a phone and includes a process triggered by a QR code scan. The QR codes for loyalty programs tend to be found printed on the receipt for a purchase or on the products themselves. Users in these schemes collect award points by scanning a code.

Counterfeit detection

Serialised QR codes have been used by brands[64] and governments[65] to let consumers, retailers and distributors verify the authenticity of the products and help with detecting counterfeit products, as part of a brand protection program.[66] However, the security level of a regular QR Code is limited since QR Codes printed on original products are easily reproduced on fake products, even though the analysis of data generated as a result of QR Code scanning can be used to detect counterfeiting and illicit activity.[67] A higher security level can be attained by embedding a digital watermark or copy detection pattern into the image of the QR Code. This makes the QR Code more secure against counterfeiting attempts, and fake products which contain a counterfeit QR Code can be detected by scanning the secure QR Code with a specific app (even though the QR Code message itself is valid).[68]

The treaty regulating apostilles (documents bearing a seal of authenticity), has been updated to allow for the issuance of digital apostilles by countries; a digital apostille is a PDF document with a cryptographic signature containing a QR code for a canonical URL of the original document, allowing users to verify the apostille from a printed version of the document.

Product tracing

Further information: Produce traceability

Different studies have been made to assess the effectiveness of QR codes as a means of conveying labelling information and their use as part of a food traceability system. In a field experiment, it was found that when provided free access to a smartphone with QR Code scanning app, 52.6% of participants would use it to access labelling information.[69] A study made in South Korea showed that consumers appreciate QR code used in food traceability system, as they provide detailed information about food, as well as information that helps them in their purchasing decision.[70] If QR Codes are serialised, consumers can access a web page showing the supply chain for each ingredient, as well as information specific to each related batch, including meat processors and manufacturers, which helps address the concerns they have about the origin of their food.[71]

COVID-19 pandemic

After the COVID-19 pandemic began spreading, QR codes began to be used as a "touchless" system to display information, show menus, or provide updated consumer information, especially in the hospitality industry. Restaurants replaced paper or laminated plastic menus with QR code decals on the table, which opened an online version of the menu. This prevented the need to dispose of single-use paper menus, or institute cleaning and sanitizing procedures for permanent menus after each use.[72] Local television stations have also begun to utilize codes on local newscasts to allow viewers quicker access to stories or information involving the pandemic, including testing and immunization scheduling websites, or for links within stories mentioned in the newscasts overall.

In several Australian states, patrons are required to scan QR codes at shops, clubs, supermarkets and other service and retail establishments on entry to assist contact tracing. Singapore, Taiwan, the United Kingdom and New Zealand use similar systems.[73]

QR codes are also present on COVID-19 vaccination certificates in places such as Canada, and the EU (EU Digital COVID certificate) where they can be scanned to verify the information on the certificate.[74]

Design

Unlike the older, one-dimensional barcodes that were designed to be mechanically scanned by a narrow beam of light, a QR code is detected by a 2-dimensional digital image sensor and then digitally analyzed by a programmed processor. The processor locates the three distinctive squares at the corners of the QR code image, using a smaller square (or multiple squares) near the fourth corner to normalize the image for size, orientation, and angle of viewing. The small dots throughout the QR code are then converted to binary numbers and validated with an error-correcting algorithm.

Storage

The amount of data that can be stored in the QR code symbol depends on the data type (mode, or input character set), version (1, ..., 40, indicating the overall dimensions of the symbol, i.e. 4 × version number + 17 dots on each side), and error correction level. The maximum storage capacities occur for version 40 and error correction level L (low), denoted by 40-L:[11][75]

Here are some sample QR code symbols:

• 

  Version 1 (21×21). Content: "Ver1"

• 

  Version 2 (25×25). Content: "Version 2"

• 

  Version 3 (29×29). Content: "Version 3 QR Code"

• 

  Version 4 (33×33). Content: "Version 4 QR Code, up to 50 char"

• 

  Version 10 (57×57). Content: "VERSION 10 QR CODE, UP TO 174 CHAR AT H LEVEL, WITH 57X57 MODULES AND PLENTY OF ERROR CORRECTION TO GO AROUND. NOTE THAT THERE ARE ADDITIONAL TRACKING BOXES" (actually encoded in all capital letters). (Tracking boxes are more commonly called alignment patterns.)

• 

  Version 25 (117×117) Content: 1,269 characters of ASCII text describing QR Codes

• 

  Version 40 (177×177) Content: "Version 40 QR Code can contain up to 1852 chars..." (and followed by four paragraphs of ASCII text describing QR Codes).

Error correction

QR codes use Reed–Solomon error correction over the finite field F 256 {\displaystyle \mathbb {F} _{256}}

b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 {\displaystyle b_{7}b_{6}b_{5}b_{4}b_{3}b_{2}b_{1}b_{0}}

∑ i = 0 7 b i 2 i {\displaystyle \textstyle \sum _{i=0}^{7}b_{i}2^{i}}

∑ i = 0 7 b i α i {\displaystyle \textstyle \sum _{i=0}^{7}b_{i}\alpha ^{i}}

α ∈ F 256 {\displaystyle \alpha \in \mathbb {F} _{256}}

α 8 + α 4 + α 3 + α 2 + 1 = 0 {\displaystyle \alpha ^{8}+\alpha ^{4}+\alpha ^{3}+\alpha ^{2}+1=0}

∏ i = 0 n − 1 ( x − α i ) {\textstyle \prod _{i=0}^{n-1}(x-\alpha ^{i})}

n {\displaystyle n}

When discussing the Reed–Solomon code phase there is some risk for confusion, in that the QR ISO/IEC standard uses the term codeword for the elements of F 256 {\displaystyle \mathbb {F} _{256}} , which with respect to the Reed–Solomon code are symbols, whereas it uses the term block for what with respect to the Reed–Solomon code are the codewords. The number of data versus error correction bytes within each block depends on (i) the version (side length) of the QR symbol and (ii) the error correction level, of which there are four. The higher the error correction level, the less storage capacity. The following table lists the approximate error correction capability at each of the four levels:

In larger QR symbols, the message is broken up into several Reed–Solomon code blocks. The block size is chosen so that no attempt is made at correcting more than 15 errors per block; this limits the complexity of the decoding algorithm. The code blocks are then interleaved together, making it less likely that localized damage to a QR symbol will overwhelm the capacity of any single block.

Due to error correction, it is possible to create artistic QR codes with embellishments to make them more readable or attractive to the human eye, and to incorporate colors, logos, and other features into the QR code block; the embellishments are treated as errors, but the codes still scan correctly.[77][78]

It is also possible to design artistic QR codes without reducing the error correction capacity by manipulating the underlying mathematical constructs.[79][80] Image processing algorithms are also used to reduce errors in QR-code.[81]

Encoding

The format information records two things: the error correction level and the mask pattern used for the symbol. Masking is used to break up patterns in the data area that might confuse a scanner, such as large blank areas or misleading features that look like the locator marks. The mask patterns are defined on a grid that is repeated as necessary to cover the whole symbol. Modules corresponding to the dark areas of the mask are inverted. The format information is protected from errors with a BCH code, and two complete copies are included in each QR symbol.[4]

The message dataset is placed from right to left in a zigzag pattern, as shown below. In larger symbols, this is complicated by the presence of the alignment patterns and the use of multiple interleaved error-correction blocks.

• 

  Meaning of format information. In the above figure, the format information is protected by a (15,5) BCH code, which can correct up to 3 bit errors. The total length of the code is 15 bits, of which 5 are data bits (2 EC level + 3 mask pattern) and 10 are extra bits for error correction. The format mask for these 15 bits is: [101010000010010]. Note that we map the masked values directly to its meaning here, in contrast to image 4 "Levels & Masks" where the mask pattern numbers are the result of putting the 3rd to 5th mask bit, [101], over the 3rd to 5th format info bit of the QR code.

• 

  Message placement within a QR symbol. The message is encoded using a (255,249) Reed Solomon code (shortened to (24,18) code by using "padding") which can correct up to 3 byte errors.

• 

  Larger symbol illustrating interleaved blocks. The message has 26 data bytes and is encoded using two Reed-Solomon code blocks. Each block is a (255,233) Reed Solomon code (shortened to (35,13) code), which can correct up to 11 byte errors in a single burst, containing 13 data bytes and 22 "parity" bytes appended to the data bytes. The two 35-byte Reed-Solomon code blocks are interleaved so it can correct up to 22 byte errors in a single burst (resulting in a total of 70 code bytes). The symbol achieves level H error correction.

The general structure of a QR encoding is as a sequence of 4 bit indicators with payload length dependent on the indicator mode (e.g. byte encoding payload length is dependent on the first byte).[82]

Note:

• Character Count Indicator depends on how many modules are in a QR code (Symbol Version).
• ECI Assignment number Size:
  • 8 × 1 bits if ECI Assignment Bitstream starts with '0'
  • 8 × 2 bits if ECI Assignment Bitstream starts with '10'
  • 8 × 3 bits if ECI Assignment Bitstream starts with '110'

Four-bit indicators are used to select the encoding mode and convey other information.

Encoding modes can be mixed as needed within a QR symbol. (e.g., a url with a long string of alphanumeric characters )

[ Mode Indicator][ Mode bitstream ] --> [ Mode Indicator][ Mode bitstream ] --> etc... --> [ 0000 End of message (Terminator) ]

After every indicator that selects an encoding mode is a length field that tells how many characters are encoded in that mode. The number of bits in the length field depends on the encoding and the symbol version.

Alphanumeric encoding mode stores a message more compactly than the byte mode can, but cannot store lower-case letters and has only a limited selection of punctuation marks, which are sufficient for rudimentary web addresses. Two characters are coded in an 11-bit value by this formula:

This has the exception that the last character in an alphanumeric string with an odd length is read as a 6-bit value instead.

Decoding example

The following images offer more information about the QR code.

• 

  1 – Introduction

• 

  2 – Structure

• 

  3 – Layout & Encoding

• 

  4 – Levels & Masks

• 

  5 – Protocols

Variants

Model 1

Model 1 QR code is an older version of the specification. It is visually similar to the widely seen model 2 codes, but lacks alignment patterns. Differences are in the bottom right corner, and in the midsections of the bottom and right edges are additional functional regions.

• 

  Model 1 QR code example

• 

  Model 1 QR code functional regions

Micro QR code

Micro QR code is a smaller version of the QR code standard for applications where symbol size is limited. There are four different versions (sizes) of Micro QR codes: the smallest is 11×11 modules; the largest can hold 35 numeric characters.[83]

• 

  Micro QR code example

• 

  Micro QR code functional regions

IQR code

IQR Code is an alternative to existing QR codes developed by Denso Wave. IQR codes can be created in square or rectangular formations; this is intended for situations where a rectangular barcode would otherwise be more appropriate, such as cylindrical objects. IQR codes can fit the same amount of information in 30% less space. There are 61 versions of square IQR codes, and 15 versions of rectangular codes. For squares, the minimum size is 9 × 9 modules; rectangles have a minimum of 19 × 5 modules. IQR codes add error correction level S, which allows for 50% error correction.[84] IQR Codes have not yet been given an ISO/IEC specification, and only proprietary Denso Wave products can create or read IQR codes.[85]

Secure QR code

Main article: simple:SQR codes

Secure Quick Response (SQR) code is a QR code that contains a "private data" segment after the terminator instead of the specified filler bytes "ec 11".[86] This private data segment must be deciphered with an encryption key. This can be used to store private information and to manage company's internal information.[87]

SQR codes have been developed by the FORUS Foundation to enable secure transactions, and published under a Creative Commons Licence. The SQR solution guarantees the integrity of the source data as well as the validity of the originating party. The payment instruction string is made up of the electronic instruction data from the scanned QR code appended with a SHA-2 cryptographic hash. The message digest can then be encrypted using the private key of the sender, which then creates a digital signature of the message. This signature validates the integrity of the data and the trustworthiness of the sender. This provides non-repudiation, confirming the identity of the sender, and that it has not been tampered with during transmission. By embedding the URL and all the variables required to perform shopping cart type e-commerce, bill payment and peer to peer payments, coupled with a digital certificate eliminates the possibility of spoofing, tampering, and man in the middle attacks. [88]

Frame QR

Frame QR is a QR code with a "canvas area" that can be flexibly used. In the center of this code is the canvas area, where graphics, letters, and more can be flexibly arranged, making it possible to lay out the code without losing the design of illustrations, photos, etc.[89]

HCC2D

Researchers have proposed a new High Capacity Colored 2-Dimensional (HCC2D) Code, which builds upon a QR code basis for preserving the QR robustness to distortions and uses colors for increasing data density (as of 2014 it is still in prototyping phase). The HCC2D code specification is described in details in Querini et al. (2014),[90] while techniques for color classification of HCC2D code cells are described in detail in Querini and Italiano (2014),[91] which is an extended version of Querini and Italiano (2013).[92]

Introducing colors into QR codes requires addressing additional issues. In particular, during QR code reading only the brightness information is taken into account, while HCC2D codes have to cope with chromatic distortions during the decoding phase. In order to ensure adaptation to chromatic distortions which arise in each scanned code, HCC2D codes make use of an additional field: the Color Palette Pattern. This is because color cells of a Color Palette Pattern are supposed to be distorted in the same way as color cells of the Encoding Region. Replicated color palettes are used for training machine learning classifiers.

JAB code

JAB code (Just Another Barcode) is a color 2D matrix symbology made of color squares arranged in either square or rectangle grids. It was developed by Fraunhofer Institute SIT (Secure Information Technology).[93]

The code contains one primary symbol and optionally multiple secondary symbols. The primary symbol contains four finder patterns located at the corners of the symbol.[94]

The code uses either 4 or 8 colours.[95] The 4 basic colours (cyan, magenta, yellow, black) are the 4 primary colours of the subtractive CMYK color model which is the most widely used system in industry for colour printing on a white base such as paper. The other 4 colours (blue, red, green, white) are secondary colours of the CMYK model and originate as an equal mixture of a pair of basic colours.

The barcode is not subject to licensing and was submitted to ISO/IEC standardization as ISO/IEC 23634 expected to be approved at the beginning of 2021[96] and finalized in 2022.[95] The software is open-source and published under the LGPL v2.1 license.[97] The specification is freely available.[94]

Because the colour adds a third dimension to the two-dimensional matrix, a JAB code can contain more information in the same area compared to two-colour (black and white) codes – theoretically twice as much data for a 4 colour code and three times more for 8 colours assuming the same encoding algorithm. This can allow storage of an entire message in the barcode, rather than just storing partial data with a reference to a full message somewhere else (such as a link to a website), thus eliminating the need for additional always-available infrastructure beyond the printed barcode itself. It may be used to digitally sign encrypted digital version of printed legal documents, contracts and certificates (diplomas, training), medical prescriptions or provide product authenticity assurance to increase protection against counterfeits.[95]

License

The use of QR code technology is freely licensed as long as users follow the standards for QR Code documented with JIS or ISO/IEC. Non-standardized codes may require special licensing.[98]

Denso Wave owns a number of patents on QR code technology, but has chosen to exercise them in a limited fashion.[98] In order to promote widespread usage of the technology Denso Wave chose to waive its rights to a key patent in its possession for standardized codes only.[14] In the US, the granted QR code patent is US 5726435 , and in Japan JP 2938338 , both of which have expired. The European Patent Office granted patent EP 0672994  to Denso Wave, which was then validated into French, UK, and German patents, all of which expired in March 2015.[99]

The text QR Code itself is a registered trademark and wordmark of Denso Wave Incorporated.[100] In UK, the trademark is registered as E921775, the term QR Code, with a filing date of 3 September 1998.[101] The UK version of the trademark is based on the Kabushiki Kaisha Denso (DENSO CORPORATION) trademark, filed as Trademark 000921775, the term QR Code, on 3 September 1998 and registered on 16 December 1999 with the European Union OHIM (Office for Harmonization in the Internal Market).[102] The U.S. Trademark for the term QR Code is Trademark 2435991 and was filed on 29 September 1998 with an amended registration date of 13 March 2001, assigned to Denso Corporation.[103]

Risks

The only context in which common QR codes can carry executable data is the URL data type. These URLs may host JavaScript code, which can be used to exploit vulnerabilities in applications on the host system, such as the reader, the web browser or the image viewer, since a reader will typically send the data to the application associated with the data type used by the QR code.

In the case of no software exploits, malicious QR codes combined with a permissive reader can still put a computer's contents and user's privacy at risk. This practice is known as "attagging", a portmanteau of "attack tagging".[104] They are easily created and can be affixed over legitimate QR codes.[105] On a smartphone, the reader's permissions may allow use of the camera, full Internet access, read/write contact data, GPS, read browser history, read/write local storage, and global system changes.[106][107][108]

Risks include linking to dangerous web sites with browser exploits, enabling the microphone/camera/GPS, and then streaming those feeds to a remote server, analysis of sensitive data (passwords, files, contacts, transactions),[109] and sending email/SMS/IM messages or packets for DDoS as part of a botnet, corrupting privacy settings, stealing identity,[110] and even containing malicious logic themselves such as JavaScript[111] or a virus.[112][113] These actions could occur in the background while the user is only seeing the reader opening a seemingly harmless web page.[114] In Russia, a malicious QR code caused phones that scanned it to send premium texts at a fee of $6 each.[104] QR codes have also been linked to scams in which stickers are placed on parking meters, posing as quick payment options, as seen in Austin, San Antonio and Boston, among other cities across the United States and Australia.[115][116][117]

See also

• Aztec Code
• Data Matrix
• PDF417
• QRpedia
• SnapTag
• SPARQCode
• Touchatag

References

1. ^ Hung, Shih-Hsuan; Yao, Chih-Yuan; Fang, Yu-Jen; Tan, Ping; Lee, RuenRone; Sheffer, Alla; Chu, Hung-Kuo (1 September 2020). "Micrography QR Codes". IEEE Transactions on Visualization and Computer Graphics. 26 (9): 2834–2847. doi:10.1109/TVCG.2019.2896895. ISSN 1077-2626. PMID 30716038. S2CID 73433883.
2. ^ Chen, Rongjun; Yu, Yongxing; Xu, Xiansheng; Wang, Leijun; Zhao, Huimin; Tan, Hong-Zhou (11 December 2019). "Adaptive Binarization of QR Code Images for Fast Automatic Sorting in Warehouse Systems". Sensors. 19 (24): 5466. Bibcode:2019Senso..19.5466C. doi:10.3390/s19245466. PMC 6960674. PMID 31835866.
3. ^ "QR Code features". Denso-Wave. Archived from the original on 29 January 2013. Retrieved 3 October 2011.
4. ^ a b c "QR Code Essentials". Denso ADC. 2011. Archived from the original on 12 May 2013. Retrieved 12 March 2013.
5. ^ "QRコード開発｜テクノロジー｜デンソーウェーブ" [QR code development]. Denso Wave (in Japanese). Retrieved 26 October 2021.
6. ^ "2D Barcodes". NHK World-Japan. 26 March 2020.
7. ^ "From Japanese auto parts to ubiquity: A look at the history of QR codes". Mainichi Daily News. 9 November 2021. Retrieved 11 November 2021.
8. ^ "The Little-Known Story of the Birth of the QR Code". 10 February 2020. Archived from the original on 4 March 2020.
9. ^ a b Borko Furht (2011). Handbook of Augmented Reality. Springer. p. 341. ISBN 9781461400646. Archived from the original on 21 December 2016.
10. ^ Joe Waters. "How to Use the Top QR Code Generators". Dummies.com. Archived from the original on 11 September 2017. Retrieved 5 June 2017.
11. ^ a b "QR Code—About 2D Code". Denso-Wave. Archived from the original on 5 June 2016. Retrieved 27 May 2016.
12. ^ "14m Americans scanned QR and bar codes with their mobiles in June 2011". 16 August 2011. Archived from the original on 5 April 2016. Retrieved 27 May 2016.
13. ^ "U.S. and UK increase of QR code use 2020". 6 July 2021. Retrieved 13 August 2021.
14. ^ a b "QR Code Standardization". QR Code.com. Denso-Wave. Archived from the original on 10 May 2016. Retrieved 23 May 2016.
15. ^ "ISS QR Code|AIM Store: Historical Archive". Aimglobal.org. Archived from the original on 8 August 2016. Retrieved 26 May 2016.
16. ^ "ISO/IEC 18004:2006 - Information technology  – Automatic identification and data capture techniques  – QR Code 2005 bar code symbology specification". www.iso.org. Archived from the original on 8 March 2017. Retrieved 7 March 2017.
17. ^ "Synchronization with Native Applications". NTT DoCoMo. Archived from the original on 6 August 2016. Retrieved 26 May 2016.
18. ^ Sean Owen (17 January 2014). "Barcode contents". GitHub. Archived from the original on 15 February 2016. Retrieved 26 May 2016.
19. ^ Rimma Kats (23 January 2012). "Starbucks promotes coffee blend via QR codes". Archived from the original on 3 June 2016. Retrieved 26 May 2016.
20. ^ Jenny Lee (4 January 2012). "Tesco's cool QR code advertising campaign". Archived from the original on 3 June 2016. Retrieved 26 May 2016.
21. ^ "Getting Started with Infographics (deprecated)". google-developers.appspot.com. 26 May 2015. Archived from the original on 29 June 2016. Retrieved 27 May 2016.
22. ^ "QR Code Readers for iPhone, Android, Blackberry and Windows Phone 7". 7 December 2010. Archived from the original on 25 August 2011.
23. ^ "QR codes on China's train tickets may leak personal information". Want China Times. Archived from the original on 12 December 2013. Retrieved 16 March 2013.
24. ^ Novak, Asami (23 March 2008). "Japanese Gravestones Memorialize the Dead With QR Codes". Wired. Archived from the original on 15 February 2013. Retrieved 8 May 2013.
25. ^ Skepticality (5 July 2011). "Paranormality". Skepticality.com. Archived from the original on 3 July 2015. Retrieved 27 June 2015.
26. ^ "Herdenkingsmunt met QR code volop in het nieuws!" [Commemorative QR code in the news!]. Koninklijke Nederlandse Munt (in Dutch). 21 June 2011. Archived from the original on 29 June 2016. Retrieved 27 May 2016.
27. ^ "New ₦100 Commemorative Centenary Celebration". Archived from the original on 8 September 2015. Retrieved 10 September 2015.
28. ^ www.ETRetail.com. "With IndiaQR launch, retail payments to get digital edge - ET Retail". ETRetail.com. Archived from the original on 15 February 2017. Retrieved 15 February 2017.
29. ^ "IndiaQR to debut on Feb 20". The Times of India. Archived from the original on 16 February 2017. Retrieved 15 February 2017.
30. ^ Hein, Buster (21 September 2017). "How to scan QR codes with iOS 11's Camera app". Cult of Mac. Archived from the original on 5 January 2019. Retrieved 28 May 2019.
31. ^ Lacoma, Tyler (3 October 2018). "How to Scan a QR Code". Digital Trends. Archived from the original on 22 April 2019. Retrieved 28 May 2019.
32. ^ "Tesco QR Code Virtual Store". 14 April 2012. Archived from the original on 25 May 2016. Retrieved 26 May 2016.
33. ^ Sebastián Campanario (16 September 2011). "Marketing futurista: ya se puede comprar con la cámara del celular" [Futuristic marketing: it's already possible to purchase with a cellphone's camera] (in Spanish). Archived from the original on 23 September 2011.
34. ^ "Marketers scatter phone-friendly codes across ads". 11 November 2010. Retrieved 26 May 2016.
35. ^ "Top 10 QR Code Store examples". 14 April 2012. Archived from the original on 6 June 2016. Retrieved 26 May 2016.
36. ^ "SCVNGR Unveils QR Code Payment System". Mashable. 12 October 2011. Archived from the original on 8 December 2012.
37. ^ "MasterCard starts piloting QkR mobile payment app". 26 January 2012. Archived from the original on 8 January 2014.
38. ^ Jacobs, Harrison. "One photo shows that China is already in a cashless future". Business Insider. Retrieved 14 October 2019.
39. ^ Mozur, Paul (16 July 2017). "In Urban China, Cash Is Rapidly Becoming Obsolete". The New York Times. ISSN 0362-4331. Retrieved 14 October 2019.
40. ^ "Paying With Your Mobile Wallet To Get Simpler With Interoperable QR Codes". Moneycontrol. Retrieved 22 December 2020.
41. ^ "A Hangzhou Story: The Development of China's Mobile Payment Revolution" (PDF).
42. ^ "Payment methods in China: How China became a mobile-first nation". daxueconsulting.com. Retrieved 23 June 2020.
43. ^ "Standard - Formát pro sdílení platebních údajů v rámci tuzemského platebního styku v CZK prostřednictvím QR kódů" [Standard No. 26: Format for exchanging payment information for domestic payments in CZK using QR codes] (in Czech). Czech Banking Association. November 2012. Archived from the original on 3 June 2016. Retrieved 27 May 2016.
44. ^ "Formát pro sdílení platebních údajů v CZK - QR kódy" [Format for exchanging payment information in CZK - QR codes] (in Czech). the Czech Banking Association. August 2015. Retrieved 2020-02-17.
45. ^ IMDA (9 November 2022). "Annex A – Fact sheet on Singapore Quick Response Code (SGQR)" (PDF).
46. ^ Monetary Authority of Singapore (9 November 2022). "Singapore Quick Response Code (SGQR)".
47. ^ Monetary Authority of Singapore (9 November 2022). "Singapore Quick Response Code (SGQR)".
48. ^ "Google testing login authentication via QR codes". ZDNet. Archived from the original on 15 June 2013.
49. ^ "Mobile ticket generation｜applications｜QR Code Solutions｜system solutions｜DENSO WAVE". www.denso-wave.com.
50. ^ "【公式】チケットの使い方 東京ディズニーリゾート" (in Japanese).
51. ^ "ダイレクトイン（QRコード）の使い方｜USJ WEBチケットストア". USJ (in Japanese).
52. ^ "QRチケットレス入場について". サンフレッチェ広島 オフィシャルサイト (in Japanese).
53. ^ "スマートスタジアム". 東北楽天ゴールデンイーグルス (in Japanese).
54. ^ Management 2020 (https://modernrestaurantmanagement.com), Modern Restaurant (22 October 2020). "Restaurant QR Codes: 2020's Comeback Story | Restaurant QR Codes: 2020's Comeback Story | Modern Restaurant Management | The Business of Eating & Restaurant Management News". Modern Restaurant Management. Retrieved 1 November 2020.
55. ^ a b Kastrenakes, Jacob (29 September 2020). "Square launches QR codes that let you order from your table at a restaurant". Verge.com. VOX Media LLC. Retrieved 24 November 2020.
56. ^ Glass, Noah (7 October 2020). "How To Prepare For Table Service 2.0". Forbes. Retrieved 24 November 2020.
57. ^ "Share your Wi-Fi SSID & Password using a QR Code". 19 July 2015.
58. ^ "zxing documentation: barcode contents". GitHub. zxing.
59. ^ "モノウォッチは生まれ変わります". Archived from the original on 13 November 2015. Retrieved 10 September 2015.
60. ^ Michael Keferl (20 March 2008). "QR code graves give a "Memorial Window"". Japan Trends. Archived from the original on 2 May 2012.
61. ^ "供養の窓 - 石の声 株式会社" (in Japanese). Archived from the original on 13 November 2015. Retrieved 10 September 2015.
62. ^ "Quiring Monuments adds smartphone codes to gravestones". Puget Sound Business Journal. 26 April 2011. Archived from the original on 23 June 2015. Retrieved 10 September 2015.
63. ^ "Uruguayan Jewish Cemetery QR-ified" (in Spanish). EL PAIS. 24 March 2014. Archived from the original on 3 August 2016.
64. ^ "Exclusive - CHINA: Pernod Ricard to use QR codes on all China packaging". www.just-drinks.com. 17 September 2013. Retrieved 24 April 2020.
65. ^ "Digital tax stamps will curb fake goods - URA". Daily Monitor. Retrieved 24 April 2020.
66. ^ "The power of smart packaging". www.bakingbusiness.com. Retrieved 3 May 2020.
67. ^ Baldini, Gianmarco; Nai Fovino, Igor; Satta, Riccardo; Tsois, Aris; Checchi, Enrico (2015). Survey of techniques for the fight against counterfeit goods and Intellectual Property Rights (IPR) infringement. Luxembourg: European Commission. Joint Research Centre, Publications Office. ISBN 978-92-79-54543-6. OCLC 948769705.
68. ^ Carron, Cecilia (6 May 2015). "Combatting counterfeiting using QR codes". phys.org. Retrieved 16 June 2020.
69. ^ Li, Tongzhe; Messer, Kent D.; Li, Tongzhe; Messer, Kent D. (2019). Li, Tongzhe; Messer, Kent D. (eds.). "To Scan or Not to Scan: The Question of Consumer Behavior and QR Codes on Food Packages". Journal of Agricultural and Resource Economics. doi:10.22004/ag.econ.287977. ISSN 1068-5502.
70. ^ Kim, Yeong Gug; Woo, Eunju (1 July 2016). "Consumer acceptance of a quick response (QR) code for the food traceability system: Application of an extended technology acceptance model (TAM)". Food Research International. 85: 266–272. doi:10.1016/j.foodres.2016.05.002. ISSN 0963-9969. PMID 29544844.
71. ^ "Behind Every Smart Product is Smart Packaging | Future Food Asia". futurefoodasia.com. Retrieved 24 June 2020.
72. ^ Leger, Benjamin (27 October 2020). "QR codes are replacing physical menus at restaurants". [225]. Retrieved 1 November 2020.
73. ^ Purtill, James (19 November 2020). "The proliferation of QR code check-ins is a 'dog's breakfast'. Is there a better way?". www.abc.net.au. Australian Broadcasting Corporation. Retrieved 15 January 2021.
74. ^ Hristova, Bobby (28 December 2021). "Ontarians need QR code to prove vaccination next week. Here's what you need to know". Retrieved 30 December 2021.
75. ^ "Information capacity and versions of QR Code". Denso-Wave. Archived from the original on 29 May 2016.
76. ^ "2D Barcode: QR-Code". Archived from the original on 15 September 2012. — TEC-IT
77. ^ Hajra Shannon (18 October 2010). "Form Meets Function: Functionality and Form of QR Codes". Retrieved 29 July 2010.
78. ^ Hamilton Chan (18 April 2011). "HOW TO: Make Your QR Codes More Beautiful". Mashable. Archived from the original on 10 July 2012. Retrieved 29 July 2011.
79. ^ Russ Cox (12 April 2012). "QArt Codes: How to make pictures with QR codes, part II". Archived from the original on 21 March 2015. Retrieved 8 May 2015.
80. ^ Russ Cox (12 April 2012). "QArt Coder". Archived from the original on 24 April 2015. Retrieved 8 May 2015.
81. ^ Gupta, Kishor Datta; Ahsan, Md Manjurul; Andrei, Stefan (January 2018). "Extending the Storage Capacity And Noise Reduction of a Faster QR-Code". Brain Broad Research in Artificial Intelligence and Neuroscience. 9 (1): 59–71.
82. ^ ISO/IEC 18004:2006(E) § 6.4 Data encoding; Table 3 – Number of bits in character count indicator for QR Code 2005
83. ^ Information technology – Automatic identification and data capture techniques – QR Code 2005 bar code symbology specification, ISO/IEC 18004:2006 cor. 2009, pages 3, 6.
84. ^ "QR Code Overview & Progress of QR Code Applications" (PDF). Archived (PDF) from the original on 20 May 2013. Retrieved 26 June 2014.
85. ^ "iQR Code - QRcode.com - DENSO WAVE". Archived from the original on 7 September 2015. Retrieved 10 September 2015.
86. ^ "Embedding Secret Data in QR Code". Retrieved 29 October 2018.
87. ^ "SQRC". qrcode.com. Retrieved 26 December 2017.
88. ^ "FORUS". www.forus.co.za. Retrieved 27 December 2020.
89. ^ "Frame QR". qrcode.com. Retrieved 26 December 2017.
90. ^ "2D Color Barcodes for Mobile Phones" (PDF). Archived from the original (PDF) on 4 March 2016.
91. ^ "Reliability and data density in high capacity color barcodes" (PDF). Archived from the original (PDF) on 24 July 2015.
92. ^ "Color classifiers for 2D color barcodes" (PDF). Fedcsis.org. 2013. Archived (PDF) from the original on 24 July 2015.
93. ^ "JAB code website". jabcode.org. 2019.
94. ^ a b "JAB code technical specification" (PDF). www.bsi.bund.de. 2019.
95. ^ a b c Küch, Oliver (26 June 2020). "Color barcode becomes ISO standard" (Press release). Darmstadt: Fraunhofer Institute for Secure Information Technology. Retrieved 17 February 2021.
96. ^ "ISO/IEC DIS 23634 Information technology — Automatic identification and data capture techniques — JAB Code polychrome bar code symbology specification". ISO/IEC. Retrieved 17 February 2021.
97. ^ "jabcode". GitHub. 2019.
98. ^ a b "About the patent". Denso-Wave. Archived from the original on 25 June 2016. Retrieved 26 June 2016.
99. ^ "DPA"."INPI". Archived from the original on 13 August 2016."UK IPO". 9 March 2013.
100. ^ "QR Code.com". Denso-Wave. 6 November 2003. Archived from the original on 15 September 2012. Retrieved 23 April 2009.
101. ^ "UK QR Code Trademark". Archived from the original on 15 September 2012.
102. ^ "EU QR Code Trademark". Archived from the original on 15 September 2012.
103. ^ "US QR Code Trademark". Archived from the original on 15 September 2012.
104. ^ a b "Jargon Watch", Wired, vol. 20, no. 1, p. 22, January 2012.
105. ^ "Malicious Images: What's a QR Code". SANS Technology Institute. 3 August 2011. Archived from the original on 13 July 2012. Retrieved 31 August 2011.
106. ^ "Barcode Scanner". 1 June 2011. Archived from the original on 15 September 2012. Retrieved 31 August 2011.
107. ^ "QR Droid". 19 August 2011. Archived from the original on 15 September 2012. Retrieved 31 August 2011.
108. ^ "ScanLife Barcode Reader". 24 May 2011. Archived from the original on 15 September 2012. Retrieved 31 August 2011.
109. ^ "Consumer Alert: QR Code Safety". Better Business Bureau. 23 June 2011. Archived from the original on 15 July 2012. Retrieved 31 August 2011.
110. ^ "AVG Cautions: Beware of Malicious QR Codes". PC World. 28 June 2011. Archived from the original on 7 September 2012. Retrieved 31 August 2011.
111. ^ "EvilQR – When QRCode goes bad". AppSec-Labs Blog. 14 August 2011. Archived from the original on 15 September 2012. Retrieved 31 August 2011.
112. ^ "QR Codes: A Recipe for a Mobile Malware Tsunami". Cyveillance, Inc. 20 October 2010. Archived from the original on 28 July 2012. Retrieved 31 August 2011.
113. ^ QR Codes hold up to 2.9 KB whereas the smallest known computer virus is about one-tenth that size "The Smallest Virus I Could Manage". Virus Labs and Distribution. 1995. Archived from the original on 15 September 2012. Retrieved 31 August 2011.
114. ^ "Beware of Malicious QR Codes". ABC. 8 June 2011. Archived from the original on 1 August 2012. Retrieved 31 August 2011.
115. ^ Binder, Matt. "Beware the QR code scams". Mashable. Retrieved 18 January 2022.
116. ^ Vincent, James (12 January 2022). "The latest phishing scam to watch out for: fraudulent QR codes on parking meters". The Verge. Retrieved 18 January 2022.
117. ^ Wodinsky, Shoshana (12 January 2022). "Scammers Are Using QR Codes to Plunder Parking Meter Payments". Gizmodo.

Bibliography

• BS ISO/IEC 18004:2006. Information technology. Automatic identification and data capture techniques. Bar code symbology. QR Code. Geneva: ISO/IEC. 2000. p. 114. OCLC 60816353.
• BS ISO/IEC 18004:2006. Information technology. Automatic identification and data capture techniques. QR Code 2005 bar code symbology specification. London: BSI. 2007. p. 126. ISBN 978-0-580-67368-9. Archived from the original on 22 March 2015. Retrieved 26 July 2010.

External links

Wikimedia Commons has media related to Quick Response Codes.

• Reed Solomon Codes for Coders – an elaborate tutorial on Wikiversity, covering both QR code structure and the Reed Solomon codes used to encode the data.

Retrieved from "https://en.wikipedia.org/w/index.php?title=QR_code&oldid=1124941552"