Timeline for For a router, is storing the Wi-Fi password in plain text in its own storage/firmware considered a vulnerability, or is it standard practice?
Current License: CC BY-SA 4.0
Post Revisions
17 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 20, 2025 at 15:48 | answer | added | David G. | timeline score: -3 | |
| Aug 20, 2025 at 1:57 | answer | added | Ángel | timeline score: 5 | |
| Aug 19, 2025 at 21:51 | comment | added | user71659 | @Bergi The password is never sent, rather in WPA2-PSK it's used with the PBKDF2 function to derive a master key. You could store the PMK, but then it's invalid it if somebody changes the SSID. In WPA3-SAE, the PWE is dependent on the password and MAC address of the other side, so you can't save it. | |
| Aug 19, 2025 at 21:12 | comment | added | Bergi | @SteffenUllrich "the router needs the password in plain text to create the access point" - does it actually? Maybe I'm missing something about how WPA works, but afaict the router just needs to check the password when a client tries to authenticate, and a stored hash should be sufficient for that. (Of course I agree with schroeder's answer, and there's various usability features from a "show password" button in the configuration to WPS that would need the cleartext, but I don't see why it couldn't be hashed in principle) | |
| Aug 19, 2025 at 7:07 | answer | added | Mark Morgan Lloyd | timeline score: -2 | |
| Aug 19, 2025 at 6:17 | comment | added | vidarlo | @allexj If someone has access to bypass the security controls of the firmware, they can MITM the traffic in a gazillion other ways anyway. Cost is a major consern in many such devices. | |
| Aug 18, 2025 at 22:05 | history | became hot network question | |||
| Aug 18, 2025 at 15:55 | answer | added | schroeder♦ | timeline score: 43 | |
| Aug 18, 2025 at 15:42 | comment | added | allexj | @schroeder it was just curiosity to understand if it's a vulnerability or not | |
| Aug 18, 2025 at 15:12 | comment | added | schroeder♦ | Why are you expecting greater security? What's the risk? The PSK is often written on the router, passed out to users, or in other means made available for people to type in manually. Why should the device get such heavy control? | |
| Aug 18, 2025 at 15:09 | comment | added | allexj | @Ja1024 so EVERY router out there that use psk have this key in cleartext and not protected in any way.... or can happen that it can be non cleartext in someway and decrypted on the fly when needed? | |
| Aug 18, 2025 at 14:43 | comment | added | Ja1024 | High-end routers are going to use WPA-Enterprise with public-key authentication, not WPA-Personal with pre-shared keys. | |
| Aug 18, 2025 at 14:31 | comment | added | allexj | tpm to store it and release to volatile memory (instead of saving it cleartest in non-volatile) if pcrs are correct. or have it in protected-read storage or secure element.... are these the solutions for high end routers? | |
| Aug 18, 2025 at 14:27 | comment | added | Ja1024 | There are different WPA versions and multiple modes (Personal/Enterprise). Which one are you talking about? If this is WPA2 with a Pre-Shared Key, then the router needs the PSK as plaintext. | |
| Aug 18, 2025 at 14:19 | comment | added | Steffen Ullrich | Given that the router needs the password in plain text to create the access point - what options do you see which would be better than storing the password in plain/encoded? Note that the password can not be hashed (since this is not reversable) and if it would be encrypted the appropriate decryption secret would need to be known to the router too. | |
| Aug 18, 2025 at 14:11 | history | edited | allexj | CC BY-SA 4.0 |
edited title
|
| Aug 18, 2025 at 13:58 | history | asked | allexj | CC BY-SA 4.0 |