Are passwords protected for WiFi SSIDs

Question

I was just thinking about this: when I change my router and I use the same SSID and password, all my devices automatically connect. So that implies the devices are sending the old password to the new router.What exactly stops someone from setting up a router, naming it the same SSID, and collecting the passwords that the devices are trying to authenticate with?

worstspotgain · Accepted Answer

Attacks like the one you mentioned are prevented cryptographically. One of the simplest methods is CRAM, Challenge-Response Authentication Mechanism. Here's an example exchange: Client: I have the password and I'd like to authenticate Server: OK, your challenge is 814443143674234562341567675 Client: OK, the response is 762451345361652354523412123 The challenge issued by the server is a large random number. The C = DigestFunction(A, B) function is one-way. It has the property that if you're trying to figure out A, knowing B and C doesn't really help.

protocolture · Answer

Both parties prove cryptographically that they know the PSK without ever sending the PSK over the air. At least in modern protocols. Google WPA PSK flow and EAPOL for diagrams.