5 Wi-Fi security myths you must abandon now

“Wi-Fi has evolved over the years, and so have the techniques for securing your wireless network,” Eric Geier reports for PCWorld. “An Internet search could unearth information that’s outdated and no longer secure or relevant, or that’s simply a myth.”

Geier writes, “We’ll separate the signal from the noise and show you the most current and effective means of securing your Wi-Fi network.”

5 Wi-Fi security myths you must abandon now:

Myth No. 1: Don’t broadcast your SSID
Myth No. 2: Enable MAC address filtering
Myth No. 3: Limit your router’s IP address pool
Myth No. 4: Disable your router’s DHCP server
Myth No. 5: Small networks are hard to penetrate

“No myth: Encryption is the best network security,” Geier writes. “Now that we’ve dispensed with five Wi-Fi security myths, let’s discuss the best way to secure your wireless network: encryption. Encrypting—essentially scrambling—the data traveling over your network is powerful way to prevent eavesdroppers from accessing data in a meaningful form. Though they might succeed in intercepting and capturing a copy of the data transmission, they won’t be able to read the information, capture your login passwords, or hijack your accounts unless they have the encryption key.”

Read more in the full article here.

59 Comments

            1. I strongly support privacy much more than the average consumer, but how can you associate privacy and liberty? The two are unrelated concepts. The prior refers to control of information, the second to physical or legal power (which, in a republic, must absolutely be individually compromised to allow for the meaningful workings of a productive civilization). Stop confusing yourself.

    1. I’m not trying to hide from the NSA, I am trying to hide from the Chinese, Russians, or any other nation or black had group that would look to make any part of my life miserable, by ruining my credit, emptying my bank account, etc.

      Privacy is not only an issue with the NSA, it’s an issue with other organizations which are not protecting us from terrorism… They just all go together, because if the NSA can get in, then so can others.

            1. Ah, well the feeling is the same. I do trust that the NSA is not out to do me harm, even if they do me wrong. Like the scorpion, he’s not out to get you, he just can’t help himself. So what I am saying, we need stronger security, ever changing and escalating.

            2. So the NSA is the same as Nazi Germany. Is what you are saying.

              Surely Gulf of Tonkin is no different than “Weapons of mass destruction” in Iraq.

              There is a military industrial complex to feed. (a fox or scorpion)

              Not saying it’s right. I don’t like it and don’t feel personally targeted by these things.

              You know there is a point in going too far. You don’t like Obama, and that’s okay. I didn’t like Bush. It seems it doesn’t really mater.

              Who ever sits in the Oval Office is going to be blamed for some fictional Nazi or Communist conspiracy.

            3. “who ever sits in the Oval Office is going to be blamed…?”. …you goddamned right he is when he breaks his oath to defend, preserve and protect the Constitution Of The United Sates.

            4. what do you think when a 48 story building “falls down” in its own footprint? What do you think when it’s blamed on Saudi nationals yet we attack Iraq? Do you think Dubya could have been re-elected or the “Patriot” Act become law without and its mainstream media whores defending the war mongering?

            5. …defend this, protect that, NSA did this, president did that, where has my privacy gone in this time of technology, constitution this, conspiracy, conspiracy, conspiracy.

              The man stated his opinion and you’ve dragged him down to this level of paranoia. And yes, anyone who even remotely thinks 9-11 was an ‘inside’ job is most certainly paranoid.

              Can we just give this a rest?

            6. Look, you want to take down Obama, for many number of reasons. I was no fan of Bush Jr or Cheney. You say NSA is against us. I say if so, the it started long before Obama or anyone in my life time. (Look to Hoover and or Truman) You say 911 was an inside job. I say, not during the current administration.

              Look, let’s agree that we want to prevent/avoid tyranny. Let’s agree the President has an oath to the people and Constitution to uphold.

              We don’t have to agree on social programs. We don’t have to agree on who’s side we are on.

              However if you want a boogie man, and you point out what’s wrong in our nation and around the world, to show who the boogie man is, well you will never find the boogie man. Because what we have has happened over decades and many people in our government and others is to blame.

              If you look at nature, and accept that humans are a part of nature, you will see a pattern that what society evolves into, it’s 100% natural, and there’s nothing we can do to stop it. As soon as you think you got your man, there’s someone else right around the corner to replace them, not by design but by nature.

              My naivety is simply a belief that most people are honest and caring, as individuals. Much like you are. However when it comes time to kick the “ball down the field” people get mixed up in terrible things. Bad decisions are made, justification is founded on “for the good of the people.” You decide for yourself, from history, who fits this definition. Be prepared to disagree.

    2. all the wifi security is pointless if your internet service provider is whoring with the NSA.

      Not if you encrypt everything at your source end, then transmit it, then have it decrypted at the receiver end. This can be accomplished using PGP (Pretty Good Privacy, now owned by Symantec) or GPG (Gnu Privacy Guard, an open source version of PGP). Use the highest encryption rate you can lay your hands on. So far, AES hasn’t proven to have any NSA inflicted back doors.

      Last week we learned that one of the random number generators used by RSA (Rivest, Shamir & Adleman, core Internet encryption company), of all companies, uses NSA compromised technology, rendering their encryption highly suspicious. It was known to be a crap random number generator from day one, implicating RSA as NSA ‘whores’, which is a shocking shame.

      http://www.theregister.co.uk/2013/09/23/rsa_crypto_warning/

  1. The comments that follow the article are funny. One person screams “Where’d you learn your networking?” and then proceeds to make a completely bogus assertion about networking.

    Instead of turning off SSID broadcasting, I say name your SSID something that might deter thieves. Driving through a small coastal town one day OS X was showing thirty some SSIDs in range of us, and the one that really stood out was “FBI Internet Crimes Task Force” 🙂

    1. A neighbor’s is “Stay off my Shit”
      My sister is moving, plans to rename their network similar to the FBI one.

      I second the changing the SSID from the default one..
      So many I see are the comcast/phone company/etc names.. 5 minutes or less of searching can tell you what the standard router that company uses, and the default password that 99.999999999999% have never changed.

    1. That would make no difference. Rainbow tables are lists of passwords. They’re used for any service that requires a typed in password. They have no connection to the SSID whatsoever.

      Regardless of what you name your network or if you don’t broadcast your SSID, it’s trivial to find out the name of the network.

      Once this is done, an attack program would use the rainbow tables to brute force your password.

      Naturally this will work fairly quickly if a) you’ve used a password likely to be found in a rainbow table and b) the wireless router has no method for detecting and preventing a brute force (like lockouts after a number of incorrect passwords).

      Since WPA2 passwords have a pretty large range, any reasonably strong password is going to keep most attacks out. Naturally you also need a strong password on your admin web interface.

  2. Re: MAC address filtering…

    Can 2 devices with connect to a network using the same MAC address simultaneously, or would the hacker have to wait for an opportunity, where a device with a permitted MAC address was no longer connected to the network? ie. a mobile device no longer connected to the network.

    1. Hi Bandit Bill, I’ll take your question.

      Two devices having the same MAC address cannot connect to the same network simultaneously as this would interfere with the routing of packets on Layer 1, the MAC layer. The router will assign an IP address based on the MAC address of the device, assuming you have it DHCP enabled. If you have two IP address that are the same on the same subnet on the network, this will result in a rejection of the latter IP attempting to join the network.

      To answer your question, the same network cannot admit two IPs or MACs having the same address. For the spoof to work, the MAC address of the device trying to join your network must wait until the MAC device it is trying to spoof has left the network. It’s not as easy to do as the author of this story makes out.

      I would say that if you have IP address filtering (by restricting the subnet mask on your network) and MAC address filtering enabled on your router (by specifying admitted MAC addresses), you should enable that as it will add another layer of security on your wireless network.

      1. It’s not that secure. All you need to do is have the attack computer send a constant string of DHCP requests. Timed properly these will slip in before the existing DHCP client has a chance to renew (which happens automatically from several hours to a day depending on the OS and configuration).

        In any event, there are easier ways to get in the middle of an existing WiFi connection and take over the session depending on the security of the router and clients.

        That’s why most networks don’t use MAC address filtering as any sort of network security.

  3. The article proposes encryption as if that were all you need. If you want a secure network you need to layer security. Some of his “myth” measures become part of those layers.

  4. Myths to abandon: Myth No. 2: Enable MAC address filtering

    BULLSHIT! I’ve had arguments with certain people about this and they all LOST. Using MAC address filtering is an EXCELLENT idea IF used as simply another layer of security alongside all the others.

    Meanwhile: Using MAC address filtering alone is a VERY stupid idea, about as stupid as using fingerprint scanning alone for security. Not joking. Whereas, adding either as another layer of security is a GREAT idea! So just do it, if you want to.

    Aren’t lemming memes amazing? Some idiot starts a stupid meme and the lemmings line up to jump off the cliff like a good happy smiley shiny bunch of clones would. 😛

    1. BTW: A couple odd omissions left out of the article:

      1) WPA2 is the ONLY current reliable encryption to use on routers.

      WEP is a joke, crackable within a minute.

      The original WPA takes considerably longer to crack, but HAS been cracked and is considered unreliable for professional purposes. Therefore, if you’ve got it on your router, ONLY use WPA2.

      2) He neglected to mention that the single least secure part of any router system can be the PASSWORD. If you don’t change the default router password, you’re screwed. Dozens of websites provide ALL the default router passwords. A mean cracker could lock you out of your own router. I’ve been tempted to do so many times. Silly rabbits. If you don’t use a nasty, unguessable WPA2 login password, again you’re screwed. Password dictionary attacks are now incredibly elaborate, incorporating a wide variety of user ‘tricks’ found in lame passwords, such as using LeetSpeak or letter/number substitution.

    2. The topic at hand does not relate to using *only* MAC filtering. It is a given is that WPA2 encryption with a strong password is being used.
      That being said, would you not agree that any person or organization capable of cracking such a WPA2-protected network would find MAC address spoofing a trivial matter to overcome?
      I would even expect that high-end cracking tools keep track of the MAC addresses in packet captures so that once encryption is cracked, the various MACs can be tried until one is found for a device not currently on the network.
      I would not insult someone who would want to add that layer to their security practices, but it really only adds a minute or so to the time it would take for someone to defeat it (again, that “someone” has already cracked your strong WPA2 password). If your WPA2 is cracked, you have much bigger problems, because someone REALLY wants access to your network.

      1. Read what I wrote. I don’t know what you’re going on about. There is no argument against adding MAC address filtering to an already good set of security precautions. None. Nada. Give up. Being too lazy to want to bother with MAC filtering is up to you. But NEVER attempt to stop other people from using it if they choose to. It’s an excellent tool in the tool chest. That’s why it’s still available on ALL routers. Duh-A-Duh. I hope you feel insulted now as I am entirely sick of people inventing the myth that MAC address filtering is anything bad or useless. And so forth.

        And no, I won’t be replying any further to this idiotic subject.

        1. Sounds like you need to read what I wrote. I am sorry, I do not feel insulted, because you are wrong, so it’s just as well you run and hide, as you can’t seem to address my single question to you.

            1. Because I am a respectful person, I re-read your post, but I don’t see any reason why you’d refuse to answer my one question about the topic unless you are thinking you might be wrong. So that you don’t have to scroll all the way up there to read it again, here it is: would you not agree that any person or organization capable of cracking such a WPA2-protected network would find MAC address spoofing a trivial matter to overcome?
              I agree, it’s not your problem, just your reputation.

  5. I am disappointed, I had hoped to have a civil discussion so that we both might learn something. But, since you’re cutting and running, I guess we’d have to say you have forfeited.
    Better luck next time.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.