WiFi Password Command-Line Cheatsheet

Quick reference table

Windows: netsh wlan

The netsh binary has shipped with every Windows since XP and exposes the full WiFi credential store. All three commands below assume an elevated PowerShell or Command Prompt (right-click Start, choose Terminal (Admin)).

List every saved WiFi profile:

netsh wlan show profiles

Show the plain-text password for one profile:

netsh wlan show profile name="MyHomeWiFi" key=clear

The WPA key is on the Key Content line inside the Security settings block. If that line is missing, you either forgot key=clear or you are not running elevated.

Dump every password in one table (PowerShell):

$profiles = netsh wlan show profiles | Select-String "All User Profile\s+:\s+(.+)
quot; | ForEach-Object { $_.Matches.Groups[1].Value.Trim() }
$rows = foreach ($name in $profiles) {
    $raw = netsh wlan show profile name="$name" key=clear
    $pw  = ($raw | Select-String "Key Content\s+:\s+(.+)
quot;).Matches.Groups[1].Value
    [PSCustomObject]@{ SSID = $name; Password = $pw }
}
$rows | Format-Table -AutoSize

The output is a clean two-column table. Pipe it to | Export-Csv wifi.csv -NoTypeInformation to save, and remember to delete the CSV afterwards. See the Windows 11 walkthrough for a GUI alternative.

Export every profile as XML with plain key:

mkdir C:\WiFiBackup
netsh wlan export profile key=clear folder=C:\WiFiBackup

Useful for migrating every network to a new PC at once. Each XML file contains the SSID, security type, and plain WPA key in the keyMaterial element.

macOS: security

The security binary is the Terminal interface to Keychain on macOS. Works identically on Intel, M1, M2, and M3 Macs.

Reveal one password:

security find-generic-password -ga "MyHomeWiFi"

The password line appears on stderr as password: "…". The first invocation for a given SSID triggers a Keychain confirmation dialog where you authenticate with Touch ID or your login password.

Return only the password (suitable for pipelines):

security find-generic-password -wa "MyHomeWiFi"

List every saved WiFi profile:

networksetup -listpreferredwirelessnetworks en0

Dump every password in one table:

IFACE=$(networksetup -listallhardwareports | awk '/Wi-Fi/{getline; print $2}')
for ssid in $(networksetup -listpreferredwirelessnetworks "$IFACE" | tail -n +2 | sed 's/^[[:space:]]*//'); do
  pw=$(security find-generic-password -wa "$ssid" 2>/dev/null)
  [ -n "$pw" ] && printf "%-30s %s\n" "$ssid" "$pw"
done

Replace en0 with en1 on Macs where WiFi is the second adapter. For a full macOS walkthrough with the Keychain Access GUI see the Mac Keychain article.

Linux: NetworkManager (Ubuntu, Fedora, most desktops)

NetworkManager is the default WiFi stack on Ubuntu, Fedora Workstation, Debian GNOME, Pop!_OS, Linux Mint, and most other mainstream desktop distributions. Credentials live in /etc/NetworkManager/system-connections/ as INI-style .nmconnection files owned by root.

List saved connections:

nmcli connection show

Reveal one password (no sudo needed on many distros):

nmcli --show-secrets connection show "MyHomeWiFi" | grep 802-11-wireless-security.psk

Or just the password, scriptable:

sudo nmcli -s -g 802-11-wireless-security.psk connection show "MyHomeWiFi"

Grep every .nmconnection at once:

sudo grep -H '^psk=' /etc/NetworkManager/system-connections/*.nmconnection | sed 's|.*/||; s|.nmconnection:psk=|  |'

The result is a two-column SSID / password listing. On modern distributions the .nmconnection files are chmod 600 root:root, which is why the commands need sudo.

List available networks with signal strength:

nmcli device wifi list

Linux: iwd (Arch, embedded, some laptops)

Arch, some embedded distributions, and Intel-based ChromeOS derivatives use iwd instead of NetworkManager. Credentials are stored in /var/lib/iwd/SSID.psk, one INI file per network.

sudo ls /var/lib/iwd/
sudo cat /var/lib/iwd/MyHomeWiFi.psk

The Passphrase= line is the plain WPA key. Some versions of iwd replace it with PreSharedKey=, which is the PMK in hex rather than the passphrase. A hex PMK is not reversible to the original passphrase without cracking.

Bulk export from iwd:

sudo grep -H Passphrase /var/lib/iwd/*.psk | sed 's|/var/lib/iwd/||; s|.psk:Passphrase=|  |'

Linux: wpa_supplicant (servers, OpenWrt)

Headless servers and OpenWrt routers often use raw wpa_supplicant, with configuration in /etc/wpa_supplicant/wpa_supplicant.conf.

sudo grep -E 'ssid=|psk=' /etc/wpa_supplicant/wpa_supplicant.conf

PSK values may be stored as plain strings in quotes or as a 64-character hex PMK. Quoted strings are the plain passphrase; bare hex is a derived key and cannot be reversed.

Listing nearby networks (not saved, just visible)

Sometimes you need to scan for SSIDs and strengths rather than reveal saved ones. The command differs per OS but the intent is the same:

# Windows
netsh wlan show networks mode=bssid

# macOS (deprecated in Sonoma, but still shipped)
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

# Linux NetworkManager
nmcli device wifi list

# Linux raw
sudo iw dev wlan0 scan | grep SSID

Operational tips

• Redirect to a file with restrictive permissions rather than letting passwords scroll in your terminal. Example: ... > wifi.txt && chmod 600 wifi.txt.
• Clear shell history after bulk dumps. Bash: history -c. Zsh: history -p. PowerShell: Clear-History; Remove-Item (Get-PSReadlineOption).HistorySavePath.
• Never scp a Keychain file to another machine. The wrap key is tied to the device; the copy cannot be decrypted elsewhere.
• Screen-share caution: if your terminal is being recorded or mirrored, pipe the password to pbcopy (mac), Set-Clipboard (Windows), or xclip -sel c (Linux) instead of printing it to stdout.

How each OS actually stores the key

Understanding where the password lives on disk helps when the standard command fails. On Windows, WiFi profiles are XML files under C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{GUID}\, with the key encrypted by DPAPI scoped to the Local System account. Only an elevated process can decrypt it, which is why key=clear needs admin rights. Copying the XML files to another machine does not help because DPAPI keys are tied to the local SID and machine.

On macOS, both login.keychain-db and System.keychain are SQLite databases under ~/Library/Keychains/ and /Library/Keychains/. The wrap key lives in the Secure Enclave on Apple Silicon and the T2 chip on later Intel Macs, which is why the raw SQLite file is unreadable if moved.

On Linux with NetworkManager, files in /etc/NetworkManager/system-connections/ are plain INI text with chmod 600. No encryption at rest. This is simpler but more exposed: anyone with root or physical access to the disk can read every WiFi password instantly. Encrypting the root filesystem (LUKS, dm-crypt) is the standard mitigation.

iwd uses a similar approach in /var/lib/iwd/. wpa_supplicant on servers and OpenWrt is plain text too. Chrome OS uses its own shill daemon with per-user encryption tied to the Google account cryptohome.

Bulk migration: moving every WiFi profile to a new device

A common reason to reach for these commands is to migrate all saved networks to a new machine before wiping the old one. The workflow depends on the source and destination OS:

Windows to Windows:

# On old PC (elevated)
netsh wlan export profile key=clear folder=C:\WiFiBackup

# On new PC (elevated), after copying the folder
Get-ChildItem C:\WiFiBackup\*.xml | ForEach-Object { netsh wlan add profile filename="$($_.FullName)" }

macOS to macOS:

Skip manual export entirely. Sign into the new Mac with the same Apple ID, enable iCloud Keychain, and all WiFi profiles sync within a few minutes. For a non-Apple-ID route, Migration Assistant copies Keychain intact.

Linux to Linux:

# On old box
sudo tar czf nm.tgz -C /etc/NetworkManager system-connections

# On new box
sudo tar xzf nm.tgz -C /etc/NetworkManager
sudo chmod 600 /etc/NetworkManager/system-connections/*
sudo systemctl restart NetworkManager

Cross-OS migration (Windows to Linux, etc.) is not directly supported. The practical path is to export every password as plain text on the source, paste them into the target's network list one by one, and securely wipe the intermediate file with shred -u (Linux), rm -P (macOS), or cipher /w:C:\\ (Windows).

Scripted password audit

Once you can dump every saved WiFi password to a file, the next step is often an audit: which networks still use a weak password that would crack in minutes under WPA2? This is useful on family laptops where an old memorable password was reused for years. The script below works on Linux and macOS; it reads a password dump and prints anything shorter than 12 characters or appearing in the rockyou top-1000 list.

#!/usr/bin/env bash
# Usage: ./audit.sh wifi-dump.txt
# Format: each line = SSID<tab>password

curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-Credentials/10k-most-common.txt \
  | head -1000 > /tmp/top1k.txt

while IFS=
#x27;\t' read -r ssid pw; do
  flags=""
  [ ${#pw} -lt 12 ] && flags="${flags}[SHORT] "
  grep -qx "$pw" /tmp/top1k.txt && flags="${flags}[COMMON] "
  [ -n "$flags" ] && printf "%-30s %s %s\n" "$ssid" "$flags" "$pw"
done < "$1"

The audit is pessimistic by design: any password under 12 characters is flagged even if it is random. For a fuller picture of what makes a passphrase resistant to offline attacks, see the WPA3 vs WPA2 deep dive.

Frequently asked questions