I believe in this auth situation, the password is not sent in to the server in cleartext, but rather the server sends a challenge to the client, the client performs the challenge using the password as a parameter, sends the result to the server, then the server checks the result is valid for the expected password. The password itself cannot be determined from the challenge result.

So, even by impersonating an AP you don't get the user's password.