Network safety

[Weng_DK]

I currently have my router setup so it requires 3 things to logon: The SSID is hidden so you most know the name, 14 character password, and Network filtering (your Mac address must be entered in the router GUI)

Of cause it gets a bit annoying if my guests wants to use my wifi.

I'm wondering, which of the 3 are the most important / would be toughest to hack through? Would it be unhackable with just 1 or 2 of them?

[Alterlai]

I would just use a wpa2-psk key. It's takes a very long time to bruteforce.

Are you using the connectoin in a special locatoin? I don't think any moderate neighbour has the time to bruteforce a WPA2 key.

If anything don't use WEP. I've tried cracking it and it takes just a few minutes.

[tom564]

I currently have my router setup so it requires 3 things to logon: The SSID is hidden so you most know the name, 14 character password, and Network filtering (your Mac address must be entered in the router GUI)

Of cause it gets a bit annoying if my guests wants to use my wifi.

I'm wondering, which of the 3 are the most important / would be toughest to hack through? Would it be unhackable with just 1 or 2 of them?

Disabling SSID broadcast and enabling mac address spoofing would do nothing to stop someone who is capable of cracking a secure  wpa2 key

[PBaines]

Yes there are people out there who can hack this kind of stuff, but do you really think there would be someone in your area capable of doing something like that?

 

I have had WPA2 for the last 4 years and never had an intruder..

[neon]

Only the encryption and the strength of the passkey matters, of which you should only use WPA2-AES with a passkey, you should use a strong key, I use a complete random mess that I have written down but if you want something a little easier to handle then something like the Diceware list could be a good solution.

 

Hiding the SSID doesn't really hide it, there are a multitude of apps that can still find it (WiFi Analyser on Android for one) and if the SSID is hidden it causes the devices (ie your mobile) to 'ask' if the network is there, it's not exactly a security risk but more like a privacy risk if you don't turn off your WiFi on your mobile when you are away from home as someone knowing what they are doing can capture that 'ask' and then know your WiFi's SSID.

 

MAC address filtering is similar, using the right tools you can capture the MAC address of a connected computer and spoof it after that only the passkey stands in the way (which is designed to be enough), MAC filtering is best used for control and will easily stump an average person who has your passkey (ie a friend who you don't want connecting again but don't want to change your passkey and re-enter it on everything).

 

To make your router extra secure you should also disable WPS (name changes for different manufacturers) if it's on some routers it can be used to connect illegitimately, also UPnP and remote management should be turned off too.

 

Hiding the SSID and using MAC filtering are not bad things to do but they are no way 'security' related, the only security is the WPA2-AES passkey that is what matters.

[LAwLz]

Protips:

Hiding your SSID makes next to no difference. You can stiff sniff packets being send, and some packets will contain the SSID to the BSS you are connected to, these management packets are not encrypted by the way. All someone has to do is sit close to your network for a few minutes and they will have your SSID. So you can start broadcasting your SSID again and your network will still be just as secure as before. Actually, hiding your SSID might reduce the security because it give you a false sense of security. If you have a hidden network added on your computer to connect automatically, your computer will always try to find it (and yes, it does send out the SSID in plain text when it does) even if it's not in range. What that means is that if you go to Starbucks with your laptop, everyone can see that you got a hidden network at your home, and they can see the SSID of it.

 

MAC filtering is also very easy to get around. Spoofing a MAC address is very easy and there are a ton of programs that does it. Someone just need to get your MAC address (easier than it sounds to some people) and then it won't protect you anymore.

 

The only security measurements you should have on your home wireless network are disabling unused features like WPS, and a strong WPA2-PSK (sometimes called just WPA2, and sometimes called WPA-AES). I recommend 10-15 character long passwords which contain numbers, letters and special characters. Something like !<Yourname>!"<the year you were born>" is very strong. So for me that password would be like: !Martin!"1993" . Easy to remember and tell people, but quite hard to crack because the chance of it appearing in a rainbow table is fairly small. You could change a letter in your name to a number, like maybe the a to a 4 for extra security. Just don't make it too complex, because even quite simple passwords are still strong enough to protect you from almost all attacks, and the extra hassle isn't worth it if you ask me.

 

Basically, anyone competent enough to be able to crack a WPA2 password (which is extremely difficult unless you use a really easy one) will be able to circumvent both SSID hiding and MAC filtering within 10 minutes. By the way, nothing is "unhackable", but a strong WPA2 password is enough to make it 99.9% unhackable.

[Weng_DK]

Wow, lots of great answers! I should've known the bit about Mac addresses - remember cloning one from a PC to a router once, for legitimate purpose ofc.

My pw is definately next to impossible to guess, a ridicolous made-up word with caps and symbols mixed in.

I'm not overly worried about getting hacked, just don't want anyone but my friends being able to use my network.

 

My WPA is currently WPA2 only - TKIP & AES. Guess I'll chance it to AES only then, though I don't know what the difference is

[Blade of Grass]

Wow, lots of great answers! I should've known the bit about Mac addresses - remember cloning one from a PC to a router once, for legitimate purpose ofc.

My pw is definately next to impossible to guess, a ridicolous made-up word with caps and symbols mixed in.

I'm not overly worried about getting hacked, just don't want anyone but my friends being able to use my network.

 

My WPA is currently WPA2 only - TKIP & AES. Guess I'll chance it to AES only then, though I don't know what the difference is

AES is more secure (it's stronger), but if you're running both (I don't know how), then keep it that way.

[LAwLz]

My WPA is currently WPA2 only - TKIP & AES. Guess I'll chance it to AES only then, though I don't know what the difference is

The difference is the encryption type. TKIP is based on RC4 (same encryption used in WEP but a lot more secure implementation of it).

WPA = TKIP by default, basically WEP but with improvements.

WPA2 = Uses AES by default.

 

My guess is that your WPA2 - TKIP & AES is some kind of dual mode which lets both WPA1 and WPA2 devices join (which doesn't really make sense since it's called "WPA2 only").

Anyway, whatever it means it will be more secure if you use AES only, it's it's the stronger type of encryption.

[Weng_DK]

Thanks for enlightening me all