Question about wireless password stored in plain text

I noticed that the wireless password is stored in plaintext in etc/config/wireless. Other passwords elsewhere are hashed. I'm assuming that this is no security issue at all or it wouldn't be done that way. Can anyone explain to me why this is not an issue? I am guessing that if someone got so far as to be able to access that file the least of my worries would be they own my wireless access? Any insight here would be greatly appreciated. I tried to search the documentation and forum for this but couldn't find anything.

1 Like

Wireless is, in my opinion, inherently insecure. I treat all wireless connections as potentially hostile and the medium as if unencrypted. It's up to the clients to ensure end-to-end encryption, not the channel.

The passwords, if someone gets to them, are the least of your worries. It means your box has been compromised. Yes, they can be encoded in a form that isn't easy to remember, but they're just as insecure. Then again, you've probably given them out to someone that has them on a yellow sticky note :wink:

If you want "enterprise-grade" authentication, then forgo WPA2 and set up 802.1X or the like.


Thanks @jeff, that's great info for me.

I only have the one 'kids' comp set up on wireless (isolating that as best as possible is what brought me to OpenWrt in the first place), and I'm the only one who knows the password. But I really wish I could wire that one, too. The wife didn't like my test run with a 50' Ethernet cable strung across the house though, so for now the wireless lives another day...

Security is always a balance of utility and strength.

I use wireless, and have in a city environment as well. It's too convenient not to. I bridge with wireless and made decisions on that based on the traffic it would carry. There isn't any "sensitive information" from my IoT devices, and I intentionally don't have my fireplace on an Internet-connected switch. Meh, someone can turn on and off my lights. Ok, if they turn off my espresso maker, I'll be pissed. Now that any website that has any "value" runs over TLS, along with things like FaceTime, I'm OK with nothing more than WPA2 encryption on the link.

Others might make different decisions.


That sums it up. Utility vs strength, privacy vs security, convenience vs, well, just about everything else, and so on. Thanks for the replies.

It's also a good example why using the same password for different services isn't good practice.


nice thought there, but, no :slight_smile:

1 Like

Buy some powerline adapters. If you get a decent pair and they are set up properly, they maintain good latency. If your speed is over 100Mbps or planning to upgrade past that in the future make sure to get a pair with gigabit ports. Most manufacturers advertise the speed between the devices and do not explicitly state that the overall speed will be bottlenecked if they only have a 10/100 ethernet port. For example, TP-Link sells the AV600 PA4010 Kit (formerly AV500) adevertising speeds up to 600Mbps, however, the maximum speed that can actually be achieved is only ~95Mbps due to the ethernet ports. Realistically, you should be able to achieve low latency and get around 40-50% of your total download speed with powerline adapters.

1 Like

There's also an attack method via vulnerabilities in additional services.
That's why it is recommended to create a unique limited-access system account for every service which supports privilege dropping.
So, setting limited permissions on /etc/config/wireless has some reasoning.
Although maintaining up to date firmware version should minimize the risks.


Thanks for the additional replies. They have been helpful. Always so much good information in this forum.


I am curious as to what you mean here more specifically. I can think of four possibilities, but I'm sure there are more, and so I wanted to know if you meant one of these four, or something else I hadn't thought of.

  1. If you meant the various three letter agencies (via microprocessor backdoors, hard drive back doors, OS back doors, endless hacks, and on and on), of course they know all my passwords. When I went to the bathroom last night I am sure they knew the weight to within a gram accuracy before I got up. But context-wise, I meant 'no one in the household', which I was thinking was implied.

  2. The users did one of any numbers of simple tricks to 'recover' the password. Not likely here. Only two small kids use the computer with the wireless, only for an hour a day, and only under my supervision. The computer is locked down with hardware based pre-boot authorization Opal 2 encryption and a 60 character password (that isn't written down anywhere or in a digital password keeper) when they aren't on it. I think that would be a bit much for them to crack. There are no other in house users, and no visitors to the house.

  3. The Wifi has been hacked and the password discovered. I doubt this because my location is very rural (although surely within range if someone was driving back country private dirt roads looking for a signal to hack) and I monitor all connections and traffic. The Wifi is shut off when it's not the kids hour of time. Pretty unlikely someone hacked the 60 character password (different from the Opal pw) and has never connected even once.

  4. The password was gotten from volatile memory by one of the many (many) side channel attacks like Meltdown and Spectre that aren't covered, and won't be covered, by any firmware updates in our lifetimes. I'm thinking this is low probability because side channel attacks require, for the most part, javascript, and we run no javascript in this household. It makes the Internet a lot less fun, but the tradeoff is worth it to me. That's the reason why it sometimes takes me a long time to reply to posts in here. This forum seems to require js, so I have to go to a friend's house and 'cheat' to post. Now, is it possible that there could be an unknown side channel attack that doesn't use js, even though no researchers have published this as a possibility (that I can find)? Maybe, but the chances of this in the one hour period using heavy blocklists and other measures is pretty slim unless it was targeted, and then we are back to #1.

  5. ?

I can't wait for your answer because I am sure you are going to shatter my remaining illusions, show me how naive I am, and tell me a pile of ways the pw was surely compromised. :open_mouth: I am always open to learning about security, so I would welcome any thoughts.

I tip my tinfoil hat to you.


It is pretty far out there, from what I can tell. Most won't do it. But the vast majority of exploits are js based, so it makes sense. The other issue is that if you run js they can get so deep into your system that fingerprinting you is simple. There are some things that can be done without js, but way, way less. I don't like any random website knowing which DNS servers I am using, for example. I've got nothing to hide, I just use some basic servers, but it's no one's business which ones I use. So I gave up js. I'm used to it now, so it doesn't even bother me. On the other hand I just use the Internet for looking up basic stuff, no videos, no music, no non-update downloads, so it isn't that difficult.

I have been enjoying the new container feature and tracker squashing features of Firefox, glad that they are working on such things.


That's a basic cryptography question.

There is an inherent trade-off in the password verification problem. Let's pretend for a moment that WPA Personal does not exist, and think like a protocol designer. One of the design objectives is that the password (or in general, any data sufficient to authenticate) should not be sniffable from the radio waves. And what you want is another design objective, that the leak of the password database should not give the attacker enough data to authenticate. Also, there is an objective that the initial setup of the password is simple - i.e. it should be sufficient to just set the same password on the server and on the client, and possible to share the same password on multiple devices. It turns out that the requirements are not compatible, and protection of the password from sniffing and simplicity of the setup for mere mortals are more important than password protection in the password database.

Everyone else in the world meets all three requirements by transmitting the password as-is over an encrypted and authenticated channel provided by SSL. This way, the side that verifies the password gets a plain-text copy, can hash it by itself and compare to what is in the hashed password database. But - this is only secure (in the sense of non-sniffability) because of SSL, which depends on certification authorities, and is not available in the WPA/WPA2 Personal context, because it is unreasonable to require the home user to obtain a certificate and not forget to renew it periodically. WPA2 Enterprise does use certificates.

So in short - the third objective rules out protocols like SRP that have a complicated (e.g. because some random salt has to be stored both on the client and the server) password-setup step I don't know why SRP was ruled out, but it was, and the lack of a trusted third party (like the certificate authority in SSL) makes a dilemma between password sniffability and possibility to steal from the database.

A useful additional reading (even though not directly relevant for wireless networks) would be to learn about the use of PAP and CHAP with dial-up modem connections. And also

1 Like

you should not rely on the secrecy of your wifi credentials, because

  • the wifi password is stored on many devices (often in plaintext)
  • wpa2 key cracking is far from impossible (even for a passive attacker)

but given your rural location i would agree that there is a reduced chance of some rando messing with your wifi :slight_smile:

1 Like

For a poorly chosen wifi password, like a common word you can dictionary attack. For one chosen with Keepass2 or similar, 12 random characters, looks like E8yGvB&2oo#f there's no way.


Theoretically, yes, it's possible, though not feasible. 12 characters gives 5.4 * 10^23 possibilities. So you could start it if you want, but you are very unlikely to see the results in the router's lifetime or yours!


But 802.X requires a private key to be stored instead of a password. And the private key is in clear text, or maybe it's encrypted with a clear-text password.
Ultimately, if you don't want cleartext credentials stored in your device, you'll have to enter some credential by hand (by human interaction) on each and every connection.