SEARCH

How-To Geek

Debunking Myths: Is Hiding Your Wireless SSID Really More Secure?

Seems like every guide to securing your wireless network tells you to keep your SSID from broadcasting to make your network more secure, but is that really worthwhile? Let’s take a look at one of the silliest myths out there.

This myth has been around for a very long time, and we aren’t expecting everybody to receive this news with happy agreement. You’re welcome to state your case in the comments for why hidden wireless networks are a great idea, but we think if you keep reading, you’ll realize that it’s just not a security feature.

If you’ve been a fan of How-To Geek for a long time, you might think you’re seeing this again. This article was originally written years ago, but we’ve updated it and are republishing for our newer readers.

Wireless SSIDs Were Never Designed to Be Hidden

Image by Chaotic Good01

It’s never a good sign when manufacturers create technologies that don’t follow the agreed-upon spec documents that ensure interoperability between vendors—it’s usually a way for them to make more money with vendor lock-in features that require you to buy their hardware.

In this particular case, the 802.11 wireless spec requires access points to broadcast their SSID, or at least it originally did according to Microsoft’s Steve Riley:

An SSID is a network name, not — I repeat, not — a password. A wireless network has an SSID to distinguish it from other wireless networks in the vicinity. The SSID was never designed to be hidden, and therefore won’t provide your network with any kind of protection if you try to hide it.

Obviously feature demand drives the specifications, so even though everybody eventually supported hidden SSIDs, the point is that there’s no extra protection from hiding your SSID. Read on.

Finding Hidden SSIDs Is a Trivial Task

It’s extremely easy to find the ID for a “hidden” network—all you have to do is use a utility like inSSIDer, NetStumbler, or Kismet to scan the network for a short while to show all of the current networks out there. It’s really that simple, and there’s plenty of other tools that do the same job — many of which are even free.

We’re not going to give you directions on how to find networks with hidden SSIDs, but it’s easy enough to find all sorts of hidden networks if you grab the right tools.

Real hackers are going to be using tools like Kismet and Aircrack to figure out the SSID before they crack your network, so whether or not a particular tool is showing the right data is beside the point.

Hidden Wireless Networks Are a Pain to Deal With

Now that you know how simple it really is for people to find your ID, wouldn’t you rather use the default networking configurations where you can easily select the network from a list? Why go through all the steps required to connect to a hidden network?

For instance, on your Windows 7 box, you’ll have to go to Network and Sharing Center –> Manage Wireless Networks –> Add –> Manually Create a network profile to get to the screen where you can start entering all the details for the hidden network. For a network that is broadcasting, all you have to do is click twice.

image

And that’s just Windows 7, which makes wireless networking easy—having to go through all the configuration screens on every single one of your devices is just ridiculous.

Hiding the Network Leads to Potential Connection Problems

This isn’t quite as much of a problem in modern versions of Windows, but back in the Windows XP days, there were quite a few connection problems when you were using a hidden SSID, not to mention getting disconnected and connecting to the wrong network. Basically, Windows would automatically try to connect to a less preferred network that was broadcasting instead of a preferred network with a hidden SSID—the only way around it was to disable automatic connection to the broadcasting one, which was annoying as well.

The same thing holds true with some other devices—I’ve seen problems with Android phones, and you can just do some quick Google searches to find loads of other issues that are all resolved by not using a hidden SSID.

There’s another problem with hiding your wireless network name: depending on the device, many devices won’t let you automatically connect to a hidden network, and if you have automatic connection enabled, you’re actually leaking your network name, as we’ll explore below.

Hidden Wireless SSIDs Actually Leak Your SSID Name

image

When you hide your wireless SSID on the router side of things, what actually happens behind the scenes is that your laptop or mobile device is going to start pinging over the air to try and find your router—no matter where you are. So you’re sitting there at the neighborhood coffee shop, and your laptop or iPhone is telling anybody with a network scanner that you’ve got a hidden network at your house or job.

Microsoft’s Technet explains exactly why hidden SSIDs are not a security feature, especially with older clients:

A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.

Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks.

The behavior is a little better in Windows 7 or Vista as long as you don’t have automatic connection enabled—the only way to be sure that you’re not leaking the network name is to disable automatic connection to wireless networks with a hidden SSID. Microsoft’s explanation:

The Connect even if the network is not broadcasting check box determines whether the wireless network broadcasts (cleared, the default value) or does not broadcast (selected) its SSID. When selected, Wireless Auto Configuration sends probe requests to discover if the non-broadcast network is in range.

How Should You Secure Your Network Then?

When it comes to wireless network security, there’s really only one rule that you need to follow: Use WPA2 encryption, and make sure that you are using a strong network key. If you’re on a wireless hotspot that isn’t your own, be sure to read our guide to keeping secure on a public wireless hotspot.

image

If you’re not using encryption, or you’re using the pathetic WEP encryption scheme, it doesn’t matter whether you hide your SSID, filter MAC addresses, or cover your head in tin foil—your network is wide open for hacking in a matter of minutes.

Myth status: Debunked.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 08/15/14
  • Jason Dagless

    SSID hiding is a good measure for when I see a new "How to Secure Your Wireless Network" article.

    Usually in a out of date and misinformed article it will be the no.1 recommendation before MAC filtering. So when I see that I know I can ignore the article and move on.

  • Keltari

    Excellent article. I definitely sit on the side that security through obscurity is more of a hindrance than a helper. I will give hidden networks one positive: if people dont know the network is there, they wont bug you for the name and key.

  • Xu-B

    The fact that someone has to be running specific software within a broadcast range of a client in order to even know that said WiFi exists is a bonus security feature for me. I don't mind a few extra steps when I only have to set it up once. I know it's not literally more secure, however it is relatively more secure.

    I don't connect to public Wifi... there should be an article on that wink .

  • Jean Renaud

    I agree exactly with Wysir too: bonus + I don't mind the few extra steps: not complicated.

    Plus the fact that you make sure that normal people walking around don't ask employees for that specific SSID network password since it's not showing. I'm always worry that a staff inadvertently gives away the password for the wrong SSID.

    In my office, for example, I have 2 SSID: - one "public" (and broadcasted) for visitors,with access only to the internet: the password is known by most employees but not readily available; and - another one "private" (and not broadcasted) for the staff, with access to our server + network resources (printers, NAS, etc.).

  • Jurie Botha

    This article is mostly a load of bull, half-truths etc...

    I do agree that simply hiding your SSID is not secure, in this day and age I think most know to enable WPA2 or at the very least WEP encryption.

    Hiding your SSID does acomplish one thing though, keeps average joe off your network. As for hackers - they'll get in no matter what if they want in badly enough.

    As for Kismet etc... they require people to actually download an app, and while available freely, most people wouldn't go through the trouble.

    Absolutely nothing wrong with hiding your ssid as long as you've got connection encryption enabled as well, and even if you don't have encryption, it will at the very least keep the less tech-savvy off your network.

    IMHO, use both - hide your SSID AND encrypt your connection. (WPA2) At the very least they won't be able to identify that you have a wireless network by simply checking their laptop for available wireless networks. And that in itself adds a bit of security - not much - but better than nothing.

  • Jason Dagless

    Guys, hiding your SSID just isn't worth it so the article is quite correct. No bull here.

    It's as useful as hiding a Sherman tank with a napkin.

    You are just making life more difficult.

    People just love doing outdated stuff just cos it makes them feel more 'Tech'.

  • Xu-B

    No, it's like hiding a Sherman tank with a cloaking device. You will have to install an infrared scope and search in the right area to realize it exists.

  • Lowell Heddings

    No, using WPA2 and a password will keep all of the average joes off your network.

    Anybody that has the skills to crack a WPA2 network isn't going to be stopped by a hidden SSID... in fact, that might make them more likely to want to get in.

  • Jurie Botha

    Why dont you read my entire comment, not nitpick sections of it for sensationalism. I DID say USE encryption. I am not promoting "Hiding your SSID" as a sole method for securing it, thats stupid. BUT, it does help. You can only access a wireless network if you know it is there.

    Personally I hide my SSID use WPA2 and I do MAC filtering.

  • Jurie Botha

    So taking 15 seconds to manually saet up the Network porfile (Which you only have to do once per device) is too much trouble? Damn, people have become lazy as hell. Yes SSID hiding in a business enviroment - not an option - but perfect (In conjunction with WPA2 & MAC Filtering) to keep neighbors from even being aware of your wifi.

  • Jason Dagless

    Hey if you want to waste your time with out dated procedures then that's up to you.

    A decent WPA2 password will keep out 99.99%of folks. The other technically adept .01% (the ones that really want to get in for some reason) will just walk over your hidden SSID and MAC filtering in seconds.

    It's not being lazy it's just knowing what the real likely threat is out there, moving forward and not using obsolete security methods.

  • Lowell Heddings

    My point is that hiding your SSID does absolutely nothing to promote security and is only a hassle to deal with.

    Setting a strong WPA2 password will stop every average joe from getting on your network.

    Every. Single. One.

    Because there are zero average joes that would be able to get past a tough WPA2 password, anything you do on top of setting a strong WPA2 password is pointless. It would be like adding two padlocks to the chicken cage to prevent the chickens from getting out.

    And since hiding your network doesn't actually stop the tiny percentage of people who might have a chance of cracking your network, it's extra pointless.

  • Michael Tunnell

    It is actually better for security but it certainly isn't a solution for actual security. You would need to still use WPA2 or something else to secure it though hiding it does give a bit of Security through Obscurity benefits. However, with that said, the tiny amount of benefit it provides is not worth the hassle of dealing with it.

  • John Doe

    I don't know where everyone is getting "not worth the hassle, just a waste of time, don't want to deal with it, etc."

    When setting up your network hiding the SSID usually takes ZERO extra time, just click a radio button/check box on the page where you are already setting up the wireless.

    You are already using a key that you need to enter when connecting which takes what, 30 seconds at least if the key is worth anything? Typing in the SSID probably takes 5 seconds unless you get stupid with the name.

    So you either click view networks, connect, and type in the key or you click add, type SSID, and type the key.

    So 5 extra seconds per device is really that big of a hassle? Not for me because it keeps the freeloaders from bugging me for WiFi because they don't know it exists.

    Security? Not really. Hassle or time consuming? Nope. Smart? Yup.

  • Steve Robbins

    If hidden SSID isn't effective, then why do my logs for the past five years with router protected by hidden SSID plus a MAC whitelist show zero logons by people outside my family? I can crack WPA2 overnight with Reaver--no problem. None of that stuff does a thing against the determined and skilled hacker. But determined and skilled hackers don't seem to have wanted to spend the time to break into my system. By the way, I used hidden SSID with Windows XP for four years with zero problems. I don't know where these wacky "professional" opinions come from but they're dead wrong.

    In order not to be eaten by the bear you don't have to be the fastest runner in the land. You only have to be faster than the slowest. Bad guys bash in doors with invitations on them. They avoid any trouble at all unless there is something mighty attractive on full display. My network ain't it. Probably neither is yours.

    The most insecure wireless practice? Using the stupid button to automatically swap passwords between computer and router. The actual password they swapped is pretty secure, but the button itself has a password that's child's play to decode. It can be done very quickly and then the router hands you the real password for free. THAT's stupid security. Don't buy a router unless you can install DD-WRT, which doesn't support giving your password to strangers.

Enter Your Email Here to Get Access for Free:

Go check your email!