All Linux Distributions Store Wi-Fi Passwords in Plain Text If You Don’t Use Encryption

Using a very strong password with a non-default SSID might help secure your Wi-Fi network

By Marius Nestor on December 27th, 2013 20:44 GMT

My colleague, Silviu Stahie, wrote an interesting article earlier today, regarding the “ability” of the Ubuntu Linux operating system to store Wi-Fi passwords in plain text, “thanks” to the default design of the NetworkManager application, initially developed by Red Hat.

Well, guess what? The truth is that all Linux operating systems that use the NetworkManager software expose Wi-Fi passwords by default, not just Ubuntu. Moreover, you should also known that even if you don’t use NetworkManager, and you use another tool to configure and manage network connections via profiles, your Wi-Fi password(s) will still be stored in clear text by default.

The "problem" with the NetworkManager application is that it stores the details of any connection (Wired, Wi-Fi, VPN, Proxy, etc.) created by the user in some text files, called profiles, under the /etc/NetworkManager/system-connections/ or /etc directory. Many users have reported this functionality as a bug, in the past few years.

This happens for any new connection created via the default NetworkManager applet (kdeplasma-applets-plasma-nm for KDE and network-manager-applet for GNOME, Xfce, and other desktop environments). So anyone who inserts a Live CD Linux distro into your laptop, can view your not-so-secret Wi-Fi password... or steal even more important data!

Solutions? Yes, we have a few solutions for you, but they depend on several aspects, such as the Linux distribution or the desktop environment you use, or how important is Wi-Fi security for you. The first solution and the most secure one, is to encrypt your entire drive, not just your Home directory, using one of the encryption methods available for your Linux operating system.

Another method is to not use NetworkManager, to disable/uninstall it and use a secure network manager tool, such as netctl under the Arch Linux operating system, which can store a raw 256-bit PSK (Pre-Shared Key) - symmetric encryption - instead of the plain text password. However, this give a false sense of security, as it will only hide the human-readable version of the password from someone who “accidentally” accessed your laptop and wants to view (read: steal) your Wi-Fi password, among other data.

Keep in mind that someone with knowledge in cracking weak 256-bit PSKs can view your Wi-Fi password, so make sure you educate yourself in basic Wi-Fi security (here’s an interesting article) and choose a non-default SSID and a random password of at least 15-20 characters and symbols before creating the 256-bit PSK (here’s a PSK generator). Anyway, the best method to protect your entire computer remains full disk encryption.
Secure Wi-Fi
   Secure Wi-Fi