How resistant are barcodes and QR-codes against attempts to change stored data?

... how secure is a QR-code?

Data in a QR code are kind of protected against accidental damage by having some error correction but they are not protected against deliberate manipulation. Also, an attacker might completely replace the QR code in the document with a different one.


QR codes are normally not protected against manipulation. But:

You could include a digital signature in the data so anyone can check if the QR code is made by you and has not been modified. Then the only thing an attacker can do is replace the QR code by an other QR code you made.

Such an approach wil typically work like this:

  • On a secure server, a key pair (public key and private key) is generated. The public key can safely be published. The private key never leaves the server.
  • When a QR code needs to be created, the server calculates the digital signature from the information and the private key. The information together with the digital signature is put in a QR code.
  • One creates an app for scanning QR codes. The public key is included in the app. An algorithm that takes the public key, the information and the digital signature as input can check whether or not the data in a QR code has been tampered with.

I don't know if there is any standard or good existing software for digital signatures in QR codes.


A QR code or barcode is just data written in a non-alphabetic format. It offers no more security than you'd get from writing the same data in ordinary text.