How to Find a Saved Wi-Fi Password From the macOS Terminal

The fast answer: macOS already ships the tool, so you do not need to download anything. Open Terminal and run one command, swapping in your network name:

security find-generic-password -wa "MyNetworkSSID"

That prints the saved password and nothing else. macOS will pop a Keychain prompt asking you to allow access (Touch ID or your login password); that prompt is correct and expected, and I explain why below. If your SSID has spaces or punctuation, keep the quotes.

A lot of older write-ups, including the one I was correcting when I revisited this, send you off to clone a third-party wifi-password script from GitHub. You do not need it. That tool is unmaintained, and under the hood it is just a wrapper around the very command above. The built-in security binary does the whole job natively, on every macOS version, with nothing to install and nothing to keep updated.

What the flags mean

security is the command-line front end to the macOS Keychain. A stored Wi-Fi password lives there as a "generic password" item, keyed by the network name, which is why the subcommand is find-generic-password:

security find-generic-password -wa "MyNetworkSSID"

• -a "MyNetworkSSID" is the account, and for Wi-Fi items the account is the network name (SSID). This is the network whose password you want.
• -w means print the password only, on its own line, with no surrounding metadata. That is what makes the output copy-paste clean.

Drop the -w and use -g instead if you want the full keychain record, including the password line:

security find-generic-password -ga "MyNetworkSSID"

-g dumps the item's attributes (creation date, the item class, the keychain it lives in) and prints the password on a password: line near the bottom. To pull just that one line out:

security find-generic-password -ga "MyNetworkSSID" 2>&1 | grep "password:"

The 2>&1 is there because security writes the password line to standard error, not standard output, so you have to redirect it before grep can see it. With -w you do not need any of that, which is why -wa is the form I reach for.

The Keychain prompt is supposed to happen

The first time you run this for a given network, macOS interrupts with a dialog: "security wants to use your confidential information stored in [SSID] in your keychain." It wants Touch ID or your login password before it hands the secret over.

Do not treat that prompt as a problem to route around. It is the security model working exactly as designed: a stored password should not leave the keychain just because a process asked nicely. Click Allow (or Always Allow if you would rather not be asked again for that item) and authenticate. If you run the command in a script and nothing appears, check that Terminal is in the foreground; the dialog is modal and needs a visible app to attach to.

You will only ever be prompted for your own login keychain, unlocked by your own credentials. There is no flag that bypasses this. If you could read a password without authenticating, so could anything else running as your user, which is the whole point of the keychain existing.

Finding the current network name

If you are connected and just want this network's password, you need the SSID to pass to -a. Click the Wi-Fi icon in the menu bar and the connected network is checked at the top. From the Terminal, recent macOS exposes it through networksetup:

networksetup -getairportnetwork en0

That prints Current Wi-Fi Network: MyNetworkSSID for the interface, and en0 is the Wi-Fi interface on most Macs (run networksetup -listallhardwareports if yours differs). Older guides reach for airport -I, but Apple deprecated the airport utility and removed it in macOS Sonoma 14.4, so networksetup is the form that keeps working.

If you have read about wdutil info or system_profiler SPAirPortDataType as the modern replacements, be aware that since 14.4 both of those redact the live network name (the SSID shows as <redacted> unless the calling app holds a Location Services grant). networksetup -getairportnetwork is the one that still prints the SSID in plain text, which is why I lean on it here.

You do not have to be connected to the network to read its password. The keychain stores every network you have ever joined, so you can pull the password for the coffee shop you visited last month while sitting at home on a completely different connection. To browse what is stored, open Keychain Access (or, on macOS Sequoia and Tahoe, the Passwords app, which has a dedicated Wi-Fi section listing every saved network) and search; each Wi-Fi entry's name is the SSID you would feed to -a.

A note on what this does and does not do

This is worth being plain about, because "get a Wi-Fi password from the Terminal" is a phrase that sounds like an attack and is not one.

The security command only reveals passwords your own Mac has already joined and saved, gated behind your own keychain authentication. It cannot read a network you have never connected to, it cannot read another user's keychain, and it does nothing to a network you are not authorized on. It is the command-line equivalent of opening Keychain Access and clicking "Show Password," which has always required your login password too. Reaching for it to recover the password to your own home network so you can type it into a new phone is the normal case; there is no privilege escalation hiding in here.

See also

• Copy to the clipboard from the command line with pbcopy and pbpaste: pipe the password straight to the clipboard with security find-generic-password -wa "SSID" | pbcopy.
• Set the date and time from the macOS command line: another built-in BSD-userland utility where the common online advice has the syntax wrong.
• Verify a file checksum on macOS: the right shasum syntax for checking a download, and why SHA-1 is not it.