diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index fd3ad0a73..cd72f7a31 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3594,6 +3594,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 	} else if (os_strcmp(buf, "sae_commit_override") == 0) {
 		wpabuf_free(bss->sae_commit_override);
 		bss->sae_commit_override = wpabuf_parse_bin(pos);
+	} else if (os_strcmp(buf, "sae_password") == 0) {
+		os_free(bss->sae_password);
+		bss->sae_password = os_strdup(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
 	} else if (os_strcmp(buf, "vendor_elements") == 0) {
 		if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index d2e884c59..c25f2e494 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1378,6 +1378,15 @@ own_ip_addr=127.0.0.1
 # 1 = enabled
 #okc=1
 
+# SAE password
+# This parameter can be used to set a password for SAE. By default, the
+# wpa_passphrase value is used if this separate parameter is not used, but
+# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
+# SAE passwords do not have such constraints. If the BSS enabled both SAE and
+# WPA-PSK and both values are set, SAE uses the sae_password value and WPA-PSK
+# uses the wpa_passphrase value.
+#sae_password=secret
+
 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
 # This parameter defines how many open SAE instances can be in progress at the
 # same time before the anti-clogging mechanism is taken into use.
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 0e1ab02b5..10cacfb8a 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -634,6 +634,8 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 	wpabuf_free(conf->dpp_csign);
 #endif /* CONFIG_DPP */
 
+	os_free(conf->sae_password);
+
 	os_free(conf);
 }
 
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 76929250a..124ff4a07 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -582,6 +582,7 @@ struct hostapd_bss_config {
 
 	unsigned int sae_anti_clogging_threshold;
 	int *sae_groups;
+	char *sae_password;
 
 	char *wowlan_triggers; /* Wake-on-WLAN triggers */
 
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index e0edcc53c..7146d3dcf 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -361,16 +361,19 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
 					     struct sta_info *sta, int update)
 {
 	struct wpabuf *buf;
+	const char *password;
 
-	if (hapd->conf->ssid.wpa_passphrase == NULL) {
+	password = hapd->conf->sae_password;
+	if (!password)
+		password = hapd->conf->ssid.wpa_passphrase;
+	if (!password) {
 		wpa_printf(MSG_DEBUG, "SAE: No password available");
 		return NULL;
 	}
 
 	if (update &&
 	    sae_prepare_commit(hapd->own_addr, sta->addr,
-			       (u8 *) hapd->conf->ssid.wpa_passphrase,
-			       os_strlen(hapd->conf->ssid.wpa_passphrase),
+			       (u8 *) password, os_strlen(password),
 			       sta->sae) < 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
 		return NULL;