I've been stumbling onto blogs that provide "tips" for installing a WiFi network. Unfortunately several of these sites suggest disabling SSID broadcast, enabling MAC address filtering and other terrible suggestions as security tips. This is utter nonsense so I'm going to show you why NOT doing this is a better decision.

Take this analogy. Everyone knows banks have cash. If I take down the "Bank" sign in front of the bank it doesn't make the bank any more secure because bank robbers still know it's a bank. Removing the sign only makes it harder for customers to find. This is analogous to hiding your SSID. It decreases usability for legit users but has no impact on bad guys.

Lets use the bank again but this time the bank has a guard who will only allow entry to people wearing a simple sticker with a valid account number. A robber could watch any customer enter, copy their account number and walk right in. On the other hand, if you forgot your account number you'd have to refer to your statements to look it up. This guard is about as ineffective as MAC address filtering.

Hiding your SSID increases security - FALSE

A hidden SSID can be discovered effortlessly. Anyone can use an off the shelf wireless card that supports RFmon mode and download Kismet. That's it. Your SSID is as visible to those people as if it were being broadcast.

MAC address filtering increases security - FALSE

Like hidden SSIDs, MAC address filtering is useless when it comes to security. WiFi access points broadcast frames to all clients much like older Ethernet hubs. The network frame includes the MAC address of the target device. All transmissions you send or receive over WiFi announce the valid MAC addresses of your trusted devices. All an attacker has to do is change their MAC address to match one of your addresses. This can be done in Windows without any special software.

Common arguments

"But It'll keep my neighbors out" - No it won't. Good encryption is the only way to keep your neighbors and everyone else out. If you have good encryption, additional obfuscation is pointless.

"I don't care if people use some of my bandwidth" - Would you care if they download music and movies, send out spam and viruses, launch cyber attacks? These activities will be traced back to you and could land you in prison for years (not to mention some hefty fines). It's not just about bandwidth.

Hiding your SSID and using MAC address filtering inconveniences authorized users

Each time you want to add a new device you'll need to manually enter the SSID on the device you wish to connect. This can be especially irritating on wireless devices without keyboards. If you mis-type just one character the device won't connect. If you forget your SSID you'll have to refer to a device that's already connected or login to your router and check. You'll also have to login to your wireless access point to add new trusted MAC address. MAC addresses must also must be typed verbatim.

All that and for what? Those extra layers provide no additional protection against a determined hacker.

Deterrent SSIDs

Since I recommend broadcasting your SSID, why not have a little fun. Here are a few suggestions for deterrent SSID names. Would you ever connect to networks with names like these?

• watchingYouType
• scanningYourEmail
• virusLoader
• spywareLoader
• 10dollarPerHourWiFi
• StealingYourPasswords

And for you geeks:

• wireshark/ethereal
• pcap
• honeypot
• packetSniffer