Can a QR Code Steal Your Passwords?
The direct answer: no, scanning a QR code cannot extract passwords stored in your password manager, browser keychain, or device. But a malicious QR code can open a fake login page that tricks you into handing over the password yourself — and some attacks are sophisticated enough to bypass multi-factor authentication. Here is exactly what can and cannot happen.
What a QR code actually does — and cannot do
A QR code is a visual representation of a URL. When your phone scans it, the camera app decodes the URL and asks whether you want to open it. That is the entire technical action of scanning — no code runs, no permissions are requested, and no data is read from your device.
This means a QR code by itself cannot access your password manager, read browser-saved credentials, bypass biometric authentication, or interact with any app on your phone. Your saved passwords are never at risk from the act of scanning.
The risk is always social, not technical
Attackers use QR codes to deliver you to a convincing fake login page — and then rely on you to type in the password they want. The QR code is the delivery vehicle. The phishing page is the weapon.
The two mechanisms attackers use to steal passwords via QR code
Understanding how the attack works helps you recognize it before you are caught.
1. Fake login page (credential harvesting)
The QR code opens a page that is a pixel-perfect replica of a Google sign-in, Apple ID login, Facebook, bank portal, or Microsoft 365 page. The URL looks close but is not the real domain. When you type your email and password, those credentials are sent directly to the attacker's server. You may even be redirected to the real site afterward so you think you simply mis-typed the first time.
2. Adversarial-in-the-middle (AiTM) attack
More sophisticated attacks use a reverse-proxy server that sits between you and the real site. You interact with what appears to be the real login — your password goes through the proxy and is relayed to the real site, so your multi-factor authentication actually completes. But the proxy captures your authenticated session cookie the moment the MFA succeeds. The attacker now has a valid session and can access your account even though you never actually gave them your password directly.
Both attacks share one tell: the URL in your browser's address bar is not the real domain. That is the single most reliable warning sign.
What a QR code cannot do to your passwords — regardless
- Read passwords stored in your password manager (1Password, Bitwarden, iCloud Keychain, etc.)
- Access passwords saved in your browser without your involvement
- Bypass Face ID, Touch ID, or a device PIN to unlock credentials
- Extract saved credentials from any app through the browser sandbox
- Cause your browser's autofill to submit credentials on its own to the phishing page
Note on autofill: modern browsers and password managers do check the domain before offering to autofill saved credentials. If the page URL does not match the saved entry, autofill will not populate the fields. This is an important safety layer — but it is not foolproof if you type the password manually.
What to do if a QR code led you to a login page and you entered your password
Speed matters. Take these steps in order:
- Change the password immediately — do this on a separate, trusted device so you are not still on the attacker's network or browser session. Go directly to the real site by typing the URL yourself.
- End all active sessions — most accounts have a “Sign out of all devices” option in Security Settings. Use it to kick out any session the attacker may already have.
- Enable two-factor authentication if it is not already active, and prefer an authenticator app or hardware key over SMS.
- Check for damage already done — for email, look for forwarding rules and unauthorized sent messages. For financial accounts, review all recent transactions and call the fraud line.
- Check other accounts that use the same password — if you reused the password anywhere, change it there too immediately.
The safest practice: verify the URL before the page loads
If a QR code ever takes you to a page asking you to log in to any account, pause and check the URL before you type anything. The address bar should show the exact domain of the real service — not a lookalike, not a URL shortener, and not a subdomain on a different base domain (for example, apple.com.login-verify.net is not Apple).
QRsafer checks the destination URL against real-time threat intelligence the moment you point your camera — giving you a verdict before the page opens, so you never see a fake login screen in the first place.
Frequently asked questions
Can scanning a QR code expose passwords saved on my phone?
No. Scanning decodes only the URL — it cannot read your password manager, browser keychain, or any app data on your device. Your stored passwords are never at risk from the scan itself. The danger arises only if the URL opens a phishing page and you manually type a password into it.
How can a QR code be used to steal a password?
A malicious QR code opens a fake login page that looks identical to a real service. When you type your password, it goes to the attacker instead. More advanced attacks use an adversarial-in-the-middle proxy that even lets your real multi-factor authentication complete while stealing your session cookie — giving the attacker access without ever needing your password directly.
What should I do if a QR code took me to a login page and I entered my password?
Act immediately on a separate, trusted device: change the password on the real site, end all active sessions in the account's security settings, enable two-factor authentication, and check for any damage already done — forwarding rules in email, unauthorized transactions in financial accounts. If you reused the password elsewhere, change it on those accounts too.
See where a QR code goes before you type anything.
QRsafer checks the destination URL the moment you aim your camera — flagging phishing pages, fake login portals, and suspicious redirects before they ever appear on your screen. Download it free for iOS and Android.