Eqii
← Back to blog
Technology 8 min read Jan 22, 2025

QR Codes Explained: Uses, Security, and Best Practices

A QR code is a 1990s automotive part-tracking tool that became the bridge between physical and digital. Here is how it works, what can go wrong, and how to use it well.

What a QR code actually is

A QR code, short for Quick Response code, is a two-dimensional barcode invented in 1994 by Masahiro Hara, an engineer at the Japanese automotive parts manufacturer Denso Wave. The company needed a way to track components through assembly at high speed, and the linear barcodes in use at the time could not hold enough information in a small enough space. Hara's design packed up to several hundred times more data into the same physical area by using a grid of square modules instead of a single row of bars, and it could be decoded in any orientation in under a second.

The "quick response" name refers to the speed of decoding rather than to any network behavior. A QR code is just a printed pattern. Scanning it with a camera does not connect you to anything by itself; the decoded text — usually a URL — is then handed to whatever app the scanner belongs to. This distinction matters for security, because the entire trust model rests on what the scanning app does with the text it decodes. The standard was released by Denso Wave without licensing fees, which is why it spread so quickly across industry, advertising, and payments.

How the encoding works

A QR code is a square grid of black and white modules. The grid sizes range from 21 by 21 modules (version 1) to 177 by 177 modules (version 40), with every fourth version adding two modules per side. Each version can hold a different maximum amount of data: version 1 holds up to 17 ASCII characters or 25 numeric digits at the lowest error-correction level, while version 40 holds up to 2,953 ASCII characters or 7,089 numeric digits at the same level.

Three large square patterns in the corners — the finder patterns — let the scanner locate and orient the code regardless of rotation. A smaller fourth pattern in the remaining corner helps the scanner warp-correct for perspective. Between the finders runs a timing pattern of alternating black and white modules that establishes the grid spacing. The actual data is encoded in the remaining modules using a Reed-Solomon error-correcting code, which is the same family of codes used on CDs, QR codes, and deep-space communication links.

The data layer encodes the payload in one of four modes — numeric, alphanumeric, byte, or Kanji — chosen for efficiency. Numeric mode packs three digits into 10 bits, alphanumeric packs two characters into 11 bits, byte mode uses 8 bits per character (originally ISO-8859-1, now often UTF-8), and Kanji packs a CJK character into 13 bits. A single code can mix modes to maximize density. The decoded payload is just a string of bytes; what those bytes mean is up to the reader.

Error correction levels

QR codes support four error correction levels, defined in the ISO/IEC 18004 standard. Level L recovers up to 7 percent of damaged modules, level M up to 15 percent, level Q up to 25 percent, and level H up to 30 percent. Higher levels cost more space: a version 10 code at level L holds 271 ASCII characters, but at level H the same version holds only 174. The choice is a tradeoff between robustness and density.

Level M is the right default for most printed codes that will be displayed on a screen or paper under normal conditions. Level H is worth the cost when the code may be partially obscured, printed on a surface that smudges, or used in industrial settings where dirt is expected. Many QR codes on packaging and shipping labels use level H for exactly this reason. Level L is rarely worth the savings; the space saved is small and the resilience lost is large.

The error correction feature is also what makes designer QR codes possible — the kind with a logo in the center or rounded color modules. As long as no more than the chosen percentage of modules is altered, the code still scans. The trick is to keep the finder patterns and timing patterns intact, since these are how the scanner locates the code in the first place. Get too clever and the code looks pretty but does not work.

Common uses and where they fit

The dominant use of QR codes today is linking physical objects to web resources. Restaurant menus, packaging information, museum exhibits, event tickets, and payment terminals all use them for the same reason: the code is free to print, the scanner is in every pocket, and the user does not have to type a URL. The mobile payment networks in China — Alipay and WeChat Pay — built their entire offline payment flow on QR codes, processing trillions of dollars in transactions per year through codes printed on a sticker or shown on a phone screen.

In supply chain and manufacturing, QR codes carry serial numbers, batch identifiers, and inspection records on individual parts. In healthcare, they appear on medication packaging for authentication and on patient wristbands for bedside scanning. In marketing, they bridge print and digital advertising. Not every use is equally sensible: a QR code on a billboard seen from a moving car is unlikely to be scanned, and a QR code on a website is usually pointless because the user could just click a link.

Security risks you should know

The main security risk with QR codes is that the encoded payload is opaque to a human. A printed URL displayed as text can be read and judged before you click; a QR code hides the URL until you scan it. An attacker who replaces a legitimate QR code with a malicious one — stickered over the original on a parking meter, embedded in a phishing email, or printed on a fake poster — can route victims to credential-harvesting pages or trigger automatic actions on the phone such as opening a payment app or adding a contact.

Mitigation falls on the scanner app. A good scanner shows the decoded URL in full before opening it, refuses to auto-execute actions, and warns when the URL uses an unusual scheme or points to a recently registered domain. Most modern phone camera apps do at least the first of these. As a user, never scan a QR code that has been physically placed over another code, treat codes in unsolicited emails the way you would treat any link in the same email, and avoid scanning codes from strangers who hand you a flyer.

The encryption myth is also worth dispelling. A QR code does not encrypt anything. If the encoded payload is a URL with a long random token in it, that token is visible to anyone who scans or photographs the code. Several event ticketing systems have leaked valid credentials this way, by printing scannable codes on tickets that were then photographed and posted on social media. If the code grants access, treat the code itself as the credential.

Dynamic QR codes vs static QR codes

A static QR code encodes its payload directly: the URL it points to is the URL printed in the pattern, and changing the destination requires reprinting the code. A dynamic QR code encodes a short URL that redirects through a server, which means the destination can be changed without reprinting the code. The short URL is also trackable: the operator of the redirect server sees how many times the code was scanned, from what countries, and on what devices. This is useful for marketing campaigns where the destination URL may change, but it introduces a dependency on the redirect service: if the service shuts down, every dynamic QR code in the field stops working.

For permanent installations like restaurant menus or building signage, static QR codes are more durable because they do not depend on any third-party service to keep functioning. The code on a sticker on a parking meter should be static, because the city will not reprint it when the payment vendor changes. For campaigns that need analytics or rotation, dynamic codes are the right tool, with the caveat that you should own the redirect domain rather than renting it from a QR-code-as-a-service provider. A surprising number of dynamic QR codes printed on packaging and signage in the 2010s went dead when their redirect services shut down, leaving the codes pointing to 404 pages or, worse, to squatted domains serving ads.

Best practices for generating and scanning

When generating a QR code, use the smallest version that comfortably fits your payload at your chosen error correction level. Shorten the URL first if you can; a 200-character URL forces a much larger code than a 20-character one, which affects scannability on small screens. Test the code on at least two different phones, in lighting that resembles the final display environment, and at the physical size you intend to print. A code that scans perfectly at 8 cm wide may fail at 2 cm wide because the camera cannot resolve individual modules.

If you are placing the code in a design, leave a quiet zone of at least four white modules around all four sides. The standard requires this margin and scanners depend on it. Avoid inverting colors (white code on black background) unless you have tested with target devices; some older scanners fail on inverted codes. Use vector output (SVG) rather than raster (PNG) when the code will be printed at varying sizes, so the modules stay sharp at any resolution. And if the code points to a URL, make sure that URL keeps working — a printed QR code is a permanent commitment to a domain you control.