From my current understanding, WPA networks use a network's SSID and password to produce a PSK (pre-shared-key), which encrypts/decrypts communications between the router and the client before a new key can be negotiated.
If a router does not have a set password, does this mean that the key negotiation between the router and the client is not encrypted?
The minimum allowed password length for WPA2-PSK is 8 characters. So APs that don't have any password (or other form of authentication) are actually open. They use no encryption at all.
In fact, the 4 way handshake is never encrypted. HMAC-SHA1 is used to prove that both parties know the PMK, but the ANonce, SNonce and MAC addresses are always transmitted in clear.
