diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix
index da0618bc..d9669938 100644
--- a/nix/configurations/vanadium/nixos/connectivity.nix
+++ b/nix/configurations/vanadium/nixos/connectivity.nix
@@ -32,41 +32,52 @@
       userControlled.enable = true;
       secretsFile = config.age.secrets.wpa_password.path;
       networks = let
-        orderedByGroups = networkGroups: let
-          groupsCount = builtins.length networkGroups;
-          withPriority =
-            lib.lists.imap0
-            (i: lib.mapAttrs (_: n: n // {priority = groupsCount - i;}))
-            networkGroups;
+        # The higher the more preferred
+        prio = i: lib.mapAttrs (_: conf: conf // {priority = i;});
+
+        privatePrio = prio 10;
+        limitedDataPrio = prio (-10);
+
+        openNetworks = lib.flip lib.genAttrs (_: {});
+        pskNetworks = let
+          # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+          escapePwdKey = lib.replaceStrings ["="] ["_"];
         in
-          lib.mkMerge withPriority;
+          lib.flip lib.genAttrs (name: {pskRaw = "ext:${escapePwdKey name}";});
       in
-        orderedByGroups [
-          {
-            "HiddenParadize@Earth2077".pskRaw = "ext:HOME";
-            "Pei’s Wifi".pskRaw = "ext:PEI";
-            "girlypop-net".pskRaw = "ext:GIRLYPOP";
-            "annapurna".pskRaw = "ext:ANNAPURNA";
-
-            "5526-1" = {
-              pskRaw = "ext:5526-1";
-              extraConfig = ''
-                bgscan="simple:30:-70:3600"
-              '';
-            };
-          }
-          {
-            "A-WAY".pskRaw = "ext:A-WAY";
-            "CAT.jpgcafe".pskRaw = "ext:CAT.jpgcafe";
+        lib.mkMerge [
+          (privatePrio (pskNetworks [
+            "HiddenParadize@Earth2077"
+            "Pei’s Wifi"
+            "girlypop-net"
+            "annapurna"
+            "5526-1"
 
+            "A-WAY"
+            "CAT.jpgcafe"
             # TODO: Figure out how to configure networks of "same password, different ssid".
             #
             # In the following documentation, bssid can be used to match
             # Besides, is it possible to have duplicated SSID?
             # https://man.freebsd.org/cgi/man.cgi?wpa_supplicant.conf%285%29
-            "LOUISA".pskRaw = "ext:LOUISA"; # 區公所
-            "LouisaCoffee".pskRaw = "ext:LouisaCoffee"; # 七張
+            "LOUISA" # 區公所
+            "LouisaCoffee" # 七張
+          ]))
 
+          (limitedDataPrio (pskNetworks [
+            "iPhone de Léana 江"
+          ]))
+
+          (openNetworks [
+            "_SNCF_WIFI_INOUI"
+            "_WIFI_LYRIA"
+            "EurostarTrainsWiFi"
+            "SBB-FREE"
+            "AOT Airport Free Wi-Fi by NT"
+          ])
+
+          # TODO: Delete this when my account is deactivated
+          {
             eduroam = {
               authProtocols = ["WPA-EAP"];
               auth = ''
@@ -82,15 +93,13 @@
               '';
             };
           }
+
+          # Other per-network configuration
+          # bgscan has performance penalty so we don't enable it globally
           {
-            "_SNCF_WIFI_INOUI" = {};
-            "_WIFI_LYRIA" = {};
-            "EurostarTrainsWiFi" = {};
-            "SBB-FREE" = {};
-            "AOT Airport Free Wi-Fi by NT" = {};
-          }
-          {
-            "iPhone de Léana 江".pskRaw = "ext:PHONE";
+            "5526-1".extraConfig = ''
+              bgscan="simple:30:-70:3600"
+            '';
           }
         ];
     };
diff --git a/nix/secrets/wpa_password.age b/nix/secrets/wpa_password.age
index 6f1e5510..3359e69e 100644
Binary files a/nix/secrets/wpa_password.age and b/nix/secrets/wpa_password.age differ