As a previous comment had pointed out before as well:
You wait for handshakes, fake a deauth packet of the handshaking client, spoof an access point with the same SID and wait for the deauth'd client to try a reconnect.
Voila, cleartext PSK without any bruteforcing.
And it's not solveable either. You can't use fingerprinting as this would make mesh lans and quick access point failover impossible.
Pretending to be an access point and going through a handshake doesn't let you retrieve the pre-shared key. (Unless the client is vulnerable to downgrade attacks-- which hasn't been a big consideration in more than a decade). Evil twin attacks are powerful but don't achieve what you say.
The station sends to the access point a message authentication code based on nonces and the pairwise master key, which in turn is based on the "network password". It's produced using a series of HMACs and isn't an operation that can be inverted without brute force.
WPA handshakes do not tell you the network password.
You use e.g. hashcat to brute force the network password using a stored handshake.