WiFi access points are sources of considerable security risks as the wireless signals have the potential to leak important private information such as passwords. This article examines the security issues posed by point-of-sale (POS) terminals which are widely used in WiFi-covered environments, such as restaurants, banks, and libraries. In particular, we envisage an attack model on passwords entered on POS terminals. We put forward the WiPOS, a password inference system based on wireless signals. Specifically, the WiPOS is a device-free system that uses two commercial off-the-shelf (COTS) devices to collect WiFi signals. Implementing a new keystroke segmentation algorithm and adopting support vector machine (SVM) classifiers with global alignment kernel (GAK), the WiPOS achieves improvement on both keystroke recognition and password prediction. The experimental results show that the WiPOS can achieve more than 73% accuracy for 6-digit password with the top 100 candidates. This article calls the community to take a closer look at the risks posed by the current ubiquitous WiFi devices.