Hide Your SSID?

New routers may include WPA2 which is even better than WPA. I've also heard that changing the channel to 5 or 11 may reduce the area interference, particularly if neighbors are using the default channel (usually 6). This does not improve security but can improve speed.

One important thing you might want to add is that the SSID should not be something that will make it easier for someone to figure out which house / apartment your network is from. In other words, use something easy to remember but not personally identifiable. Don't use your address!

And changing the default admin username and password is of the utmost importance, I actually locked one of my buddies out of his network because he did not. I only did it to show him he should have changed it, but what if it had not been me?

Whilst all the information you provided with reference to wireless connection security is good and valid, you failed to mention the 'MAC' address code which all wireless cards possess. You can set up the router to only accept a connection from other wireless linked computers, by defining the MAC address of the wireless card or cards, in the router's set-up procedure.

MAC addresses are unique to each wireless networking card and it is 'burned' into ROM during manufacture. This applies to either a separate card, or the networking hardware built-in to a laptop. The MAC address is normally a 48 bit code, which provides over 280 Trillion possible MAC addresses.

This being the case, it will make hacking in to a system very difficult, if not impossible, since only a wireless card, or cards, bearing a MAC address or addresses, which have been defined in the router set-up, will be able to establish a connection to the router.

The set-up procedure is very simple and the MAC address for each card is identified on the card, in the format xx:xx:xx:xx:xx:xx:xx:xx where 'x' is a hexadecimal digit.

EDITOR'S NOTE: It may not be a big deal for you to open a PC or laptop, find the network adapter, and copy down a long string of numbers and letters. But trust me... this is WAY beyond the comfort level of most computer users!

There is a fourth important step in securing a home wireless network. Most wireless routers support the enforcement of an Ethernet Media Access Control (MAC) Access Control List (ACL). Every ethernet device is assigned a unique MAC address by the manufacturer. It is usually printed somewhere on the outside of the device and it can also be determined by using the Windows command: ipconfig /all

When a MAC ACL is enforced in the router, only MAC addresses that have been added to the ACL can connect. A connection request by any device with a "foreign" MAC is denied. Admittedly, this fourth security step can be overcome by a sophisticated and determined hacker, but it is one more important layer of defense for the network owner.

I think Bob has forgotten that there's an easier way to view your network card's MAC - use "ipconfig /all" on Windows, and similar commands on other OSs. Restricting your WiFi network to known MACs is an excellent idea, IMO, and is definitely worth the trouble.

EDITOR'S NOTE: So noted!

Bob, I used this and the related article to improve the security of my wireless network. In so doing I had to contact my ISP since I had no router owner's manual. That was a learning experience! I ended up with 128 bit encryption. In the course of learning, I encountered the following message: "TKIP requires either 64 hexadecimal characters or an ASCII "pass phrase" between 8 and 63 alphanumeric characters". Please explain TKIP and compare that to 128 bit encryption. Is that something I can invoke on my own or is it dependent on hardware or software? [My ISP supports WEP-ONLY (not WPA).] Also, where can I find a list of ASCII characters to develop a "pass phrase", which I take to mean just a long password.

EDITOR'S NOTE: TKIP (Temporal Key Integrity Protocol) is a security protocol designed to replace the the older WEP standard, without the need to replace router hardware. In other words, it's better than WEP, not as good as WPA, but it's the best you can do on an older router whose hardware does not support WPA. ASCII characters are just plain text (A-Z and 0-9, with a few other special characters) so yes -- it's computerese for "long password phrase".

Sir, Is there any command to find the SSID of the Wireless network.

EDITOR'S NOTE: You can login to the router with your browser to see the SSID.

I have a PalmOne hand-held gadget, and I don't know the equivalent of the IPCONFIG command to find it's MAC address -- but there was an easy workaround. I set my wireless router to allow "anyone" to log on provided they know my (hidden) SSID and WPA passphrase. I logged on with the PalmOne, then used the browser on my PC to connect to the router and view the list of current connections, and it gave me the MAC address of my PalmOne. After adding that MAC address to the list, I reset the router to only accept connections from that list.

I agro with your analysis of hiding your SSID. I would like to make it clear that using the MAC ACL to deny access is about equally as fruitless as hiding your SSID. Cloning a MAC address is very simple in linux/unix. You take down your interface, issue a command to change it (dont recall off hand) and bring the interface back up. In Windows you can download a program that will change your MAC address for you. By using MAC ACLs, you should inform your user that they may lock themselves out if they type the MAC incorrect or have to change their network card for any reason. WEP can be broken in a matter of minutes. My suggestion as far as encryption goes is to not use WEP. Instead use WPA or WPA2. Additionally, if you have the option use AES instead of TKIP. AES is a NSA approved method for encrypting classified information so I think it is good enough for a wireless connection. Also, in some routers there is an option to make your wired network invisible to connections made through the wireless portion of the router. This can help to keep a less skilled hacker from getting to your wired computers once they have broke into your wireless network. The only method known for breaking WPA last I heard is to bruteforce the key. Therefor when you chose a WPA key, make it as random as you can and use all available keys to include special keys, and make it as long as possible as per the capability of your hardware.

In your instructions, you direct the reader to connect to the wireless device as the administrator using unencrypted HTTP. As you note, that is likely the default configuration (as well as username and password for Linksys products.) (Finding other administrator default usernames and passwords can be found on the various manufacturer websites, in the product manuals.)

If the user connects via wireless using HTTP and the admin password, then anyone else using that wireless connection could sniff the password from the air. Again, this is not something a casual hitchhiker would do, it takes knowledge and software. But if a malicious hitchhiker is already connected and watching for passwords, then you have defeated the entire purpose of making the network more secure! That malicious person can use the password to gain access to learn the encryption password, etc.

If the HTTPS is not available by default over the wireless for admin purposes, another possible idea is to connect only via a cable. It then depends on if the access point segments the traffic enough that it cannot be sniffed.

Tough chicken-and-egg situation, I wish manufacturers made HTTPS the default or only way to connect to their unit's web admin UI.

I have setup my router using WPA key and also changed the router admin password. Recently I discovered something and want to check with you for advice. If I type 192.168.0.1 from IE (this is common DLINK router address) I will be allowed to login to my router with "admin" as user-ID and spaces as password. It doesnt let you change any settings (becuase incorrect pswd), but it lets browse through router settings, where one can easily read WPA key (WPA key is not *** here).

EDITOR'S NOTE: Something is wrong with your router software if you can see all that without logging in. You might try doing a factory reset, then setting passwords for all defined users on the router.

Hi Bob,

Recently Comcast has upgraded my service by doubling the speed. I have a Netgear RP614 router in line and when I go directly through the cable modem I can pickup the hi speed, when I add the router in-line (I left it in-line for safety sakes) it drops back down to original speed I started with. I don't know how to reprogram the router for the higher speed if need be. I have pulled the power to both devices for reset to reinstall them, but, to no gain in speed. Could I be walked through this procedure or due I need a new router to pick-up the extra speed?

EDITOR'S NOTE: I assume you are wanting the extra protection of the firewall and NAT router. Usually the modem and router are combined in one box. Are you sure your cable modem is not also a router?

I have to agree re the MACy address - they are simple to spoof for a hacker and offer NO protection (I got this from real hackers who work to secure companies). Likewise hiding your SSID is useless and in fact, violates the wireless standards and not meant for security - it is just an ID. Despite what you think, many things are still broadcast in the clear and anyone with a sniffer can break in easily. The guys we met with had all the information they needed to break into nearly all the laptops in our local Paneras while waiting for our meeting. Scary stuff out there. WPA2 is your best bet for now.

There is a privacy flaw in the recommendations here.

Your last-connected SSID is divulged by your radio NIC; so if that preferred SSID is unique, then someone who knows you can connect the dots.

In essence, no matter where you connect, they can tell where you came from (i.e., your prior connection).

This is because the last-connected SSID is disclosed in the "association request" frame.

In addition, the previous "authentication" frame already disclosed your radio NIC's MAC address.

So, by following the recommendations here, you increase home security only slightly but you compromise hotspot privacy slightly.

I suggest you to get a little creative and name SSID something that would be perceived by people as npt in working condition or something that would deter hackers.

I've someone who is trying to connect to my wifi almost everyday. This is done very few minutes for hours. So I guess he must be using some sort of machine to scan and try to hack into my wifi.

I know the MAC address of this guy. Is it possible to catch the culprit by knowing his MAC address? If not, what option do I have? I am worried one day he maybe able to crack my password as he is using machine to do it.

EDITOR'S NOTE: Use WPA2, set a really good password, and rest easy. See these links:
http://askbobrankin.com/is_your_wireless_router_really_secure.html
http://askbobrankin.com/hey_is_this_your_password.html

slightly off-topic but i have a comment: I tried disabeling the SSID broadcast for my wifi router once. When the SSID broadcast was off, my wireless computers and portable devices couldn't connect to the AP. fun. :p As soon as i turned SSID broadcast on, my devices could connect to the access point.