Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Are passwords protected for WiFi SSIDs
2 points by pram 11 months ago | hide | past | favorite | 2 comments
I was just thinking about this: when I change my router and I use the same SSID and password, all my devices automatically connect. So that implies the devices are sending the old password to the new router.

What exactly stops someone from setting up a router, naming it the same SSID, and collecting the passwords that the devices are trying to authenticate with?




Attacks like the one you mentioned are prevented cryptographically. One of the simplest methods is CRAM, Challenge-Response Authentication Mechanism. Here's an example exchange:

    Client: I have the password and I'd like to authenticate
    Server: OK, your challenge is 814443143674234562341567675

    <client computes DigestFunction(password, 814443143674234562341567675)>

    Client: OK, the response is 762451345361652354523412123
The challenge issued by the server is a large random number. The C = DigestFunction(A, B) function is one-way. It has the property that if you're trying to figure out A, knowing B and C doesn't really help.


Both parties prove cryptographically that they know the PSK without ever sending the PSK over the air. At least in modern protocols. Google WPA PSK flow and EAPOL for diagrams.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: