This is a good analogy for corporate security: people refuse to do the one thing that will make them secure, but insist on doing lots of crap that does little to to improve their security.
I understand why people don’t want to choose complex passwords, they are harder to remember than simple passwords. People gravitate toward easier security. But why, then, do they insist upon hiding the network name and MAC filtering? These things do nothing to stop hackers, but they they annoy the heck out of guests (like me) who might want to use the WiFi.
Anybody that connects to a hidden network must “probe” for it. That puts their laptop/iPhone at risk when they leave your network, allowing hackers to trap their devices in fake access-points. Thus, when you use hidden networks, you increase the risk for your guests while doing essentially nothing to increase your own security.
MAC filtering annoys hackers, but only slightly. It means they have to eavesdrop on your network for a bit before cloning a permitted device’s MAC address. But MAC filtering is even more annoying for guests. It can be a complicated and time wasting affair, as they misread a character, or as I did, read off the Bluetooth MAC instead of WiFi MAC address.
I hear various excuses. For example, they claim they aren’t trying to stop the world’s best hackers. But that’s wrong, for two reasons.
The first is that it still doesn’t explain why you are replacing a minor annoyance (complex password) with a major annoyances (hidden networks and MAC filtering).
The second reason is that yes, you need to protect yourself against the best hackers. The world’s best hackers create simple tools, and publish them on the Internet. The teenage kid five doors down uses those tools (with a directional antenna) to break into your network.
Bugblatter Beast of Traal” theory of security: if you can’t see hackers, then hackers must not be able to see you. But directional antennas that increase the range by 100 times are rather cheap. Sure, you may have trouble getting a good signal in your yard, but a hacker a mile away can still break into your network.
George Ou from who writes at http://www.digitalsociety.org/ makes the following observations, which I thought were interesting enough to post here:
But Rob, we don't need a terribly complex WPA-PSK for a good degree of non-guessability. Even an 8-character alphanumeric PSK is extremely hard to crack even when you're leasing cloud capacity. Bump it up to 10-char or 12-char and even the cloud attack will become impractical.
1. Your neighbor's kid can crack an 8 character alpha password in a few days using his graphics card by guess all combination of letters ("brute-force attack").
2. Even a 12-char alpha/numeric/punctuation password can be guessed by going through the dictionary and doing minor alterations of the the words ("dictionary mutation attack").
Problem with the other two myths is that security "experts" (even the CISSP curriculum) teaches MAC filtering and SSID broadcast suppression.
I hadn't thought of that. This shows yet against that the CISSP is not an adequate certification for security professionals.
The MAC filtering isn't even a minor inconvenience for hacker since it probably takes a few milliseconds to see the MAC address, and it provides zero encryption for stopping wall-of-sheep attacks or sidejacking.
SSID broadcast suppression (mistakenly known as hiding) simply forces the clients to broadcast rather than the base-station. That's like trying to hide a huge fixed military installation but asking all the foot solders to go around beaconing their location even in enemy territory. It is extremely stupid yet there are so many "experts" that still teach this
Anybody can be an expert in cybersecurity: they just have to say "you aren't taking security seriously enough".