Hiding passwords in wpa_supplicant.conf with WPA-EAP and MSCHAP-v2

My wpa_supplicant.conf looks like this: network={ ssid="Some name" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="my-user-id" password="(clear text password here)" ca_cert="/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt" phase2="auth=MSCHAPV2" } With this specific combination of WPA-EAP and MSCHAP-v2, is there a way to not include my password in clear in this configuration file? The ChangeLog seems to [claim that this *is feasible*](https://w1.fi/cgit/hostap/tree/hostapd/ChangeLog#n790) (since 2005!): * added support for storing EAP user password as NtPasswordHash instead of plaintext password when using MSCHAP or MSCHAPv2 for authentication (hash:); added nt_password_hash tool for hashing password to generate NtPasswordHash Some notes: * Using a different password is not an option, as I have no control over this network (this is a corporate network, and a single username/password is used to access all services, including connecting to the Wifi). * A word about duplicates: * [40: use-wpa-supplicant-without-plain-text-passwords](https://unix.stackexchange.com/questions/40/use-wpa-supplicant-without-plain-text-passwords) is about pre-shared keys * [74500: wpa-supplicant-store-password-as-hash-wpa-eap-with-phase2-auth-pap](https://unix.stackexchange.com/questions/74500/wpa-supplicant-store-password-as-hash-wpa-eap-with-phase2-auth-pap) uses PAP as phase-2 authentication (not MSCHAP-v2). * [85757: store-password-as-hash-in-wpa-supplicant-conf](https://unix.stackexchange.com/questions/85757/store-password-as-hash-in-wpa-supplicant-conf) is very similar to this question, but was (incorrectly) closed as a duplicate of (https://unix.stackexchange.com/questions/74500/wpa-supplicant-store-password-as-hash-wpa-eap-with-phase2-auth-pap) ; unfortunately, the answers given to the purported duplicate are specific to PAP, and do not apply to the MSCHAP-v2 case. (https://unix.stackexchange.com/questions/85757/store-password-as-hash-in-wpa-supplicant-conf) itself has an answer claiming that it's essentially impossible regardless of the protocol, but the justification is invalid1 1 That anser claims that using a hashed password means that the hash becomes the password. This is technically true, but at least the hash is a *wifi-only* password, which is significant progress over leaking a shared password granting access to *multiple* services.