Is MAC address filtering effective on a wifi router?

Question

I want to improve the security of my home wifi. My neighbor wants to crack my Wi-Fi password with a nutcracker.

I tried to activate the protection by MAC address, but now my laptop and smartphone don't have access to the box. Is MAC address filtering effective?

How else can I secure my Wi-Fi?

Answer 1

MAC address filtering is a very weak form of wifi protection:

• the MAC addresses of your devices can be easily eavesdropped with tools like wireshark

• the MAC addresses of their devices can be easily changed (OS dependent, but typically an option in Network Settings).

• MAC address filtering is annoying to maintain. You have to login to your router configuration every time a new device connects, find the MAC address in the settings of the new device, type in 12 seemingly-random hexadecimal digits (or copy from the logs of connection attempts), and still tell the new device the new strong wifi password.

To secure your wifi, make sure you use WPA2 with a strong passphrase (e.g., 6-8 random words) with WPS (Wifi Protected Setup) disabled (WPS is broken). You should also check that your router doesn't have any known backdoors.

The strong high-entropy password is extremely important. Wifi passwords can be cracked in offline attacks after capturing a handshake, at a rate of trying millions to billions of passwords per second. However, 8 words randomly taken from a dictionary with 10000=10⁴ words, means there are 10³² passwords the attacker would have to try (assuming the attacker knew that's how you choose passwords -- the rate will be worse if they don't know this). At a rate of a billion passwords per second per computer with a million computers, it would take more than a billion years to crack an 8 random word password. (Note picking a well known quote/phrase is much much weaker even if it is 8 words long.) A passphrase of six random words would have 10²⁴ (e.g., with a million computers doing a billion passphrases per second it would take only 31 years to break). Note a four-word passphrase only has 10¹⁶ so a single computer doing a billion passphrases per second would take about a month or two to break it. A three-word passphrase can be broke by a single computer in under 20 minutes.

Note, if you choose to go the random characters route, if you choose characters randomly from uppercase+lowercase+numbers, then a three-word passphrase is about equal to a 7 character password, a four-word passphrase is about equal to a 9-character password, a six-word passphrase is about equal to a 13 character password, and a eight-word passphrase is about equal to an 18 character password.

Answer 2

MAC protection isn't much protection at all since you can easily spoof your MAC address. Even if you hide your network SSID (Service Set Identifier) broadcast soon as you connect to the network using wireless and he's sniffing using tool such as AirMon-NG he would gain your SSID name for your AP (Access Point) which is passive and could attack the handshakes. More aggressive approach would be to send de-authentication pack so you have to re-authenticate and he would able to compromise the router.

If however you rarely connect wireless to the router having a longer password will just make his job alot harder if he's trying to brute/dictionary attack your router.

List of things you'll want to do:

1. Strong password like LinuxGuts69 recommended.
2. MAC filter (Just add your phone and other devices to whitelist).
3. Isolate your wireless clients from your network.
4. Hide your SSID like LinuxGuts69 recommended.
5. Limit the amount of devices that are connected to your network. If you have maximum of 3 devices connected and the hacker the 4th tries to connect he won't have space to connect. This would let you know if it was successful or not.
6. Enable successful connection logs on your router.
7. Enable time based network access if you are always working at x time then schedule your router to not broadcast at x time.
8. Change your default administrator password
9. Disable auto-connect on your devices. Only connect when you need to. Which will reduce the potential attack of handshakes.

Answer 3

A couple of thoughts...

• As pointed out, security based on MAC or SSID is pretty useless against a dedicated attacker. WEP encryption is useless as well.
• Use the best security mechanism your router supports. WPA2 is good. WPA is okay, when used in conjunction with TKIP or EAP. Use the longest encryption key you're offered.
• Use the longest PSK you are allowed (usually 63 characters); this will stop brute force attacks. Unless you have a lot of ad hoc additions to your WLAN, the key should be random sequence. FWIW..."LinuxGuts69" is a terrible password that a decent cracker will quickly find (2 dictionary words + "69" is the kind of pattern the specifically look for).
• Look and see if your wireless AP supports changing the "key renegotiation interval". Change it to something smaller, like 300 seconds. This forces the AP and the client to compute a new session key and will defeat attacks that rely on collecting a lot of encrypted data under a single session key. Don't set it too small or it will effect performance.
• If you have a small area that you use your WLAN in, reduce the transmit power of your AP radios. He can't hack you if he can't get a signal. Similarly, if your AP supports it, you might get a directional antenna the beams most all the signal away from your bad guy.
• If you can find out the MAC of your bad guy, you can use something like Aircrack-ng to send him dissociate packets and repeatedly kick him out of your AP. Be aware that he can return the favor and kick you off as well.
• If your bad guy has only has an 802.11B/G or 2.4GHz only 11N WLAN card, moving to 802.11A or 5GHz 11N means he can't see you. You might also change the channel your WLAN works over to one or the other end of the spectrum. If he's particularly unsavvy and depending on what gear he has, that can make it harder for him to get a signal to you.

There are probably some more things you can do, but complexity goes up pretty quick.

Answer 4

-You can also use the small md5pass application to assist you in creating a much more elaborate and strong password on a more fragile, so you can use this password to better protect your network, here's an example:

   md5pass keyword bit 

  -Would be something like:

   md5pass inviolable 4096

           $1$4096$NBmqXsDvKsMuHCXHMXAJK.

 -Since -> $1$4096$NBmqXsDvKsMuHCXHMXAJK.

(It is the result generated by using the word inviolable md5pass that you can now use the generated key as password).

This is very useful to set a password to a user group to a router, wireless routers mainly because you can store the keyword that generated the password somewhere else and use the key that is stronger and better prepared to be used only for those who possess it, believe me here in my neighborhood there are many wireless routers with passwords that are very easy to crack a well drafted password does not mean you are 100% secure from intrusion, but believe hinder the work the attacker much what it is already something. With this you can use it like an pasword on some one of the systems WEP,WAP or WAP2 in the Wireless router.

Answer 5

If your neighbor is trying to crack your wifi you should change your password to a 15 character or more password containing letters, numbers, symbols, uppercase letters, lower case etc so its going to make it alot harder to crack the password to your wifi. If anything disable your network or make your network hidden.