Sorry to be pedantic, but since we’re talking about trust, QR codes don’t have to be URLs. They can encode arbitrary data, including URLs but also vCards, wifi invites, phone numbers to call, and sometimes malware, as above.
You can’t be certain before scanning that a QR code is showing a URL. Even if they write the URL below the QR code, there’s no guarantee the QR code actually matches that (and often it won’t, since they’ll likely point to a tracking URL instead).
It is very different from a simple URL. To your phone, scanning a code is more like getting an email or receiving a text. It has to decode it first (which can itself be a buggy process) and then it has to parse the data in it (another potential vulnerability) and then choose which app to handle it with (another potential vulnerability) and then if the app opens it, the app itself then has to parse and process that payload (another vulnerability).
It’s not a great risk, usually, but if in doubt, just ask somebody for the URL and manually type it in instead.
I didn’t see the Echo post but have had the same complaints for years. “Alexa, **** off” at least works to shut it up. But when I’m about to run out the door, late, And say “Alexa, temperature now”, I want the temperature and not a greeting and an ad!
Amazon totally lost the plot on the Echo and have wasted TONS of money on it.
This seems like a really high effort complicated way to save a password, not to mention strangely dumb. People are savy enough to generate a QR code and then use it to post their password in plain sight? Wow.
In the case of people using linear barcodes, I saw it happen in warehouse environments where people already had access to a bar code printer for product and location labelling and already had scanners attached to their machines for production purposes. They were convinced the barcodes were a secure way of encoding passwords just because they weren’t immediately human-readable.
Okay, that makes more sense. Still a interesting look at the hunan mind.
I guess the other thing I was not acknowledging is that often passwords are seen as an annoying inconvenience that is implemented in an overly restricted way.