I played around yesterday with the idea of using QR-codes as an offline password storage. This way I don’t have to rely on a database of passwords stored on my computer or in the cloud. I shudder at the thought of storing passwords in the cloud, encrypted or not. Instead my idea is to have printed QR codes in a binder, encrypted using a master password. To clarify, the content inside the QR code will be encrypted.
Instead of coming up with my own scheme, I try to emulate one of the encryption scheme that Keepass uses to encrypt it’s database. It uses a keyfile and a master password to generate a AES key which then decrypts/encrypts the database.
I managed to get a proof of concept working in python as well as a very basic android app with a hardcoded master password working. If you’re interested, you can see my progress here: https://github.com/Tethik/qrpass
Some thoughts around this though:
Pro’s:
- Having the QR codes as “physical” I feel adds another layer of security. In order to get the password you have to have all three components: the QR code, the AES keyfile and the master password.
- Master password does not necessarily have to be the same for all stored passwords, much the same way you can have multiple databases in Keepass.
- Mitigates some of the danger from getting your computer hacked. I imagine keyloggers working against keepass for example.
- I believe paper trumps computers for long term storage. At least in my household. Easy to make backups.
- Given the error-correcting nature of QR-codes, they could be customized with for example logos etc-
Con’s:
- One of the good things about Keepass is the ability to “copy-paste” long and complicated password strings. If I wanted the same functionality in an android app to a computer, I would have to engineer some solution for this as well, which might be difficult if we don’t want to rely on a third party service or have to install something on the computer. Copying strings of 30+ random ascii characters by hand is not very practical.
- Changing passwords is obviously more of a hassle. You have to print out a new QR code every time!
- I believe there is an upper bound to how much data can be stored inside a QR code. I would have to do some research to see how long the max password to store would be and how reliable QR codes are.
Tl;dr; maybe more secure, less practical? For personal use I feel like it could work.