Why does Windows store Wi-Fi passwords in a reversible format?

tl;dr- Windows is acting as a password manager, and like all password managers, it must remember the passwords it manages. You're probably thinking of the thing where servers are supposed to store hashes instead of passwords; that strategy doesn't apply here.

@forest's answer demonstrates a major caveat – that, if we assume a wireless network will always use a specific protocol that starts by hashing the password, e.g. WPA2, then Windows could forget the original password in favor of the protocol-specific hash.

Why is it that Windows would store credentials in a reversible format? Why is it not just storing the hash of the password that it sends access points to complete the handshake and establish connection?

Windows is serving two different roles here:

  1. Password manager:
    Windows can remember network passwords for you. When it does this, it's acting as a password manager. Like any other password manager, it must store the passwords it manages.

  2. Client:
    Windows must convince the WiFi network that it knows your password. To do this, it must know your password.

If you're concerned about Windows storing your password, it'd seem like you can just stop using its password management function. However, you'll still need to supply Windows with a network password in order to log into a network, much like you must supply an email portal with your email password to log in.

Note: The advice you're thinking of applies to servers, not clients.

You're probably thinking of the thing where a server shouldn't remember plaintext passwords, but rather a hash of them. That doesn't apply here since Windows isn't the server.

You can hash the WiFi password if you like, but then the hashed password would be the new password. This'd basically be the same thing as using a key-derivation function to generate your WiFi password.

Exception: Protocol-specific hashes can be retained.

The above answer is written for a general-case protocol.

However, specific protocols may call for having the password hashed, such as in the popular wireless protocol, WPA2. If we assume that the network will always use a specific protocol like WPA2 across all access points and time, then we can forget the original password if we just retain that hash.

The issue with retaining just the hash is that it's not the network password so much as the protocol-specific network password. This is, a client that retains just the hash under one protocol would break if the network updated to WPA3, or if they went in range of an older WPA access point, etc..

The password is never sent. It is hashed, and that hash is used (indirectly) for encryption.

The password can be passed through an algorithm called PBKDF2-HMAC-SHA1 with 256-bit output and a salt derived from the ESSID (network name) to generate the PSK, a raw 256-bit key. This PSK is used to encrypt a handshake, called the 4-Way Handshake, between the client and the router where a random, per-session data encryption key is exchanged. It is also used for authentication.

The reason Windows does not store the raw PSK rather than the password is for better user experience. If someone doesn't know their password when adding a new device to the network, they can view it on Windows without needing to connect to the router's administrative panel. Storing passwords in an irreversible format is useful for servers where there exists a risk that a database of passwords will be stolen en masse. For a mere personal Wi-Fi password, this risk is far less pronounced.

Please note that this only applies to WPA2-PSK. There are other Wi-Fi encryption standards, even under the WPA2 label, which do not use any kind of pre-shared password, such as WPA2-EAP, which can negotiate a key on the fly.

To demonstrate that this is possible, this can be done on Linux with wpa_passphrase. We will use the sed command to remove commented lines, which contain a plaintext copy of the original password:

$ wpa_passphrase MyNetworkName MySecretPassword | sed '/^\s*#/d'

The line which was commented out containing the original passphrase has been removed. It's important to be aware that this PSK, if stolen, will give the attacker the same capabilities as if they stole the original password. They will be able to decrypt stored sessions and authenticate to your access point. However, they will not know the original password itself, which may be useful if it is used elsewhere (a bad idea).