This seemingly shocking news was posted by Michael Horowitz with lots of quotes in the press.
Google knows nearly every Wi-Fi password in the world
But, what is missing in this article is a statement about how Wi-Fi actually works. If using password protected Wi-Fi (rather than enterprise-based Wi-Fi), the computer or the phone must know the password in order to authenticate with the Wi-Fi access point. It is possible to have the computer, phone or tablet "forget" the password when dismissing the Wi-Fi network. But, if the network is stored in the computing device and allowed to connect automatically, the password is kept somewhere in the device.
In order for the computer to connect to the router, it needs to have either the passphrase or the PSK (pre-shared key). For Mac OS X, the passphrase for the Wi-Fi is stored in the login keychain. Knowledge of the login password is sufficient to be able to see the Wi-Fi password in the clear. The Mac requires the password to negotiate a session with the Wi-Fi access point.
If Apple chooses to hide the Wi-Fi password from sight by the user, this amounts to being "security by obscurity." Either the password is needed in the clear to generate the PSK for authentication, or else, the PSK can be obtained in the clear in order to be authenticated.
We have to trust that Apple is not sending the Wi-Fi password anywhere. But, it is human-based trust rather than encryption enforced trust.
This is not just an Apple and Google phenomena. This is simply how Wi-Fi works. If this is a concern, then, one shouldn't use Wi-Fi.