Password Verification

Hi, I'm new to this forum and I'm sorry if this isn't the right section to post my question.

I've downloaded the source code of OpenWrt for curiosity of it works. However, I couldn't see where does the password verification happen. What I mean is when someone connects to the wifi, the router (the firmware) will compare the password it has to the one the user entered.

Basically all I want is to see where the wifi password gets read and compared to either allow access to the device or just reject the password given because it doesn't match.

If anyone can point me to the right direction in which file does this all happen. I searched through the files however all i came up with was the router login. (with the username and password).

It is handled by the code in the hostap repository (hostapd / wpa_supplicant), as it is by most Linux-based systems, embedded, Android, laptop/desktop, what have you.


Perhaps you should clarify whether you are referring to the "wifi password" of the "admin password".

I'm referring to is the wifi password.

Also note that there is no simple password comparison with WPA. Authentication in WPA requires a three way handshake that involves access point and stations encrypting each others challenges with a known secret (the PSK) to prove their knowledge of the shared secret.

The actual plaintext PSK is never exchanged. You can find the various key derivation and comparison routines in hostapd's source code within the wpa_common.c file.


That's just for the WPA right? What about WEP.

All handled by hostapd or wpa_supplicant, depending on if AP, STA, or SAE

(Note that WEP is insecure, obsolete, and incompatible with current 802.11 operation)

I was thinking of editing the code in order to be able to see the tried passwords on my router. I see that it isn't impossible to do but it's difficult to do it. Has someone else coded something like that or a modified version that has this version.

@milontoo7, welcome to the community!

If the PSK is never transferred, how can you write a program to see it?

The question I would ask is, why?

Can't think of many legitimate reasons for attempting this. It sounds like a rogue AP or MITM attempt.

1 Like

I'm sorry but I haven't read in depth about how WPA works so I might have everything wrong. Isn't the PSK stored in the firmware? What I meant is I wanted to edit the firmware in order to be able to see what passwords have been tried on my wifi.

Meaning I wanted to edit the file where the verification happens checking the code above which jow provided I assume I'll get the tried password on the router but it will be hashed not in plain text.

Well, it can be used to create an Evil twin router to grab other passwords but that wasn't my intention. I just was actually doing it for fun but it seems more complicated than I thought.

What everyone is telling you is that the attempted password is never actually sent.
Obviously if it was, it would be very easy to snoop from the air for a third party.
The protocol allows for proving that both parties know the secret without saying the secret itself.

I'm not sure the exact method used in WPA, but the one I am familiar with is diffie hellman.

Look at the paint mixing example in this article and I think you will see how this can be achieved.

1 Like

Yes, the PSK is on the device, which means you don't have to write any code, you just look at it. want to know attempted passwords - since they derive from an incorrect PSK that you do not have, I'm not sure how one could see them.

See the sections that describe the Message Integrity Check:

Also, feel free to use one post to reply to multiple posts, we can all see.

The wifi password gets read at MAC address.

A MAC address is a hardware identification number that uniquely identifies each device on a network. The MAC address is manufactured into every network card, such as an Ethernet card or Wi-Fi card, and therefore cannot be changed.

That's very informative thank you for sharing that. And also I don't really know how to reply to multiple posts.

I'm sorry but I'm not sure what the MAC address has to do with getting the password tried. But as far as I know MAC addresses can be spoofed.

Just stop using 2 messages to reply, that's all. It was more important if you're a new user.

This is true; and makes it even more difficult, given you'll not know the MAC of the connecting device.