23

Is hiding your Wi-Fi SSID and setting it without a password as secure as when your SSID shown with a password on a technical level?

Improve this question
4
  • 11
    Having an "unlisted" phone number doesn't make it impossible (or even more difficult) for people who know the number to call you. The analogy with WiFi: everyone calling your number is shouting it out while they dial; anyone who overhears now knows the number.
    – spuck
    Commented Oct 6, 2021 at 14:03
  • 4
    Except that with WIFI they dont need to wait very long for you to dial. You are constantly shouting the SSID.
    – davidgo
    Commented Oct 6, 2021 at 20:40
  • 5
    In fact, turning off SSID is not secure and hiding it actually makes it arguably less secure.
    – hookenz
    Commented Oct 7, 2021 at 3:02
  • 3
    Hiding your SSID in my mind lives under the umbrella of “security by obscurity”, which is essentially a misnomer as it’s generally a phrase to disparage a class of ham-handed approaches that provide pseudo security. That is to say, poor security. Laughable security. Insecurity. But I’m drunk, so take this with a grain of salt on your margarita glass.
    – Greenstick
    Commented Oct 7, 2021 at 5:18

5 Answers 5

Reset to default
66

NO. When you hide your SSID, it is broadcast by clients, so its easy enough to discover anyway (just Googling "discovering hidden SSID" will link you to multiple tools and ways this can be done with relative ease). At that point, free access. There has never been much point in hidden SSIDs.

WIFI passwords are not sent in plain text; they require a significant amount of work (if correctly set up - an unrealistic amount of CPU) to crack.

Improve this answer
6
  • 1
    The "significant work" is relative because WEP is easy to break in comparison. You need to have at least WPA2, but WPA3 exists due to bug in WPA2. So while bruting forcing takes an realistic time, bug either know or unknown significantly reduce this time.
    – cybernard
    Commented Oct 6, 2021 at 15:01
  • 30
    @cybernard I think that's covered by "if correctly set up" - WEP has been discouraged for at least fifteen years at this point.
    – IMSoP
    Commented Oct 6, 2021 at 15:04
  • 2
    @DanM. Not really. One of those flaws is a downgrade to WPA2 (which, if allowed, just makes it as weak as WPA2), the rest of them should be fixed in current implementations (so it's only early implementations that suffer).
    – TooTea
    Commented Oct 6, 2021 at 15:48
  • 18
    There is only one point in hidden SSIDs in my experience, and it's to de-clutter Wi-FI network lists in congested areas like apartment complexes. Especially in recent years when many ISP provided routers will by default have 4 networks configured.
    – Logarr
    Commented Oct 6, 2021 at 16:58
  • 6
    @Logarr it may declutter things from the user's view, but those hidden SSIDs are still broadcasting beacons just with empty SSID fields in the packets. The beacons or BSSID broadcasts are still needed for roaming to different APs to work right.
    – Alex Cannon
    Commented Oct 7, 2021 at 1:56
32

Hiding SSIDs is also bad for privacy.

In addition to providing exactly zero security (as the other answers have explained), hiding the SSID is also a very bad idea if you care about privacy.

In a "normal" (not hidden) network, the access point will periodically transmit "beacons" with various information including the SSID. A client thus only needs to passively listen to see what networks are available. If it sees a beacon from one of the configured networks, it can then decide to connect to it.

However, with a hidden SSID, there's no way for a client to know it's in range of a configured network without actively trying to connect. Thus once you set your device to connect to a "hidden" network automatically, it will keep broadcasting "probe requests" with its SSID wherever you go. Sometimes the SSID itself might be somewhat embarrassing or contain personal information, and sharing the list of networks you visited in the past with everyone you meet is often also not desirable.

Improve this answer
2
  • Doesn't the OS assume that the SSID may be hidden and probe for it anyway? I know Windows XP has an option to "connect even if this network is not broadcasting". Do other operating systems still have that option?
    – Alex Cannon
    Commented Oct 7, 2021 at 1:48
  • @AlexCannon The checkbox is still there in Win10 at least but it's disabled by default. I don't know what happens on other OSes as I don't personally use hidden SSIDs at all (for likely obvious reasons).
    – TooTea
    Commented Oct 7, 2021 at 10:13
4

No

THIS IS SUPER EASY TO DECLOAK

You can see it when you are looking at wireless traffic in whireshark while in monitor mode.

You can also simply send a deauthentication packet to the client using aircrack-ng or any other packet crafting tool, and it will show look at probes coming from clients and see it.

here is a good article on this.

Improve this answer
4

Others have sufficiently addressed the lack of benefit to security when hiding your SSID, so I would like to point out the significant risk at which you would put your network by not setting a password (i.e. using no encryption).

Anything transmitted between your access point and clients would be open to anyone eavesdropping with a wireless adapter set to monitor mode (trivial to set up). To do that, the person would not even have to connect to your network. Any information not protected by higher-layer encryption (e.g. TLS or PGP) would be available to them in clear.

Should they decide to go further, they could actively manipulate your network's traffic in all sorts of ways.

Whether you decide to hide your SSID or not, always use at least WPA2 encryption with a strong passphrase.

Improve this answer
4
  • 1
    Pretty much everything online now is protected with SSL/TLS. Someone can still mess with DNS and send you to other sites, but the website certificates will fail. They could redirect users to non SSL sites. Some people would notice and others wouldn't.
    – Alex Cannon
    Commented Oct 7, 2021 at 17:29
  • @AlexCannon Note that even with TLS,the domain name of every site you visit is still transmitted in the clear (eSNI is far from widely deployed). The same applies to DNS. Do you want your neighbors to know which adult sites you're visiting,when and for how long?
    – TooTea
    Commented Oct 7, 2021 at 17:45
  • 1
    Do you really know what your mobile phone or Windows software is doing? Open WLAN is a bad idea. Amazingly in the hotel I had been last, they had an open WLAN and a web page to "authenticate". That's much worse than having a WLAN password and no page to authenticate.
    – U. Windl
    Commented Oct 8, 2021 at 6:52
  • @AlexCannon For things going across the Internet, TLS may now be nearly the default. However, it's a different story with LAN protocols which assume that the underlying network is trustworthy. SMB and NFS traffic, for instance, is usually not encrypted.
    – Giorgos350
    Commented Oct 8, 2021 at 9:07
0

It is very secure as long as you never connect to it. Once you do the name is transmitted out for everyone to see.

As TooTea mentioned, the ability to have hidden SSIDs has made it so that clients must actively probe for the entire list of SSIDs that they are configured to connect to, revealing the full list of SSID names to anyone in the area whenever the device is scanning for new networks. Some devices seem to do this anyway even if the SSID was not configured as a hidden one when connecting.

Edit: If you want to see what 802.11 wireless clients are probing for, it's quite easy if you have a GNU/Linux system. You can do this with the default utilities. This assumes wlan0 is your wireless interface.

iw dev wlan0 interface add mon0 type monitor
ifconfig mon0 up
tcpdump -n -e -l --immediate-mode -i mon0|grep -i --line-buffered "probe request"

You shouldn't need to change the channel on the mon0 interface because probing is done on all channels. But it could help if the channel you are monitoring has a lot of interference and because of that you aren't able to receive probe requests as well. If you're using wlan0 you won't be able to have mon0 operating on a different channel than wlan0.

Although it's normal for a client to probe for a particular SSID name when it is connected to that network (so it can roam to other access points), if a client is probing for a particular SSID name when that access point has been unplugged or is out of range, then it's leaking the names of SSIDs (wifi network names) that it has been configured to connect to in the past.

If you do this you'll likely eventually come across some clients which are currently not connected, and they'll be probing for the names of hotels and business where they have been connected in the past. This is in addition to revealing some hidden network names that don't show up in your list of near by wireless networks.

Improve this answer
4
  • 1
    The first paragraph is entirely incorrect, TooTea explained why it's insecure even if you never connect. The second paragraph is in most part an incorrect restatement of the TooTea's answer. Clients must probe only hidden SSIDs, not the whole list of SSIDs they know. As for "some devices seem to do it anyway," these devices are indeed seriously borked w.r.t privacy and security. This statement needs a citation to support it.
    – kkm mistrusts SE
    Commented Oct 8, 2021 at 21:51
  • You haven't supported claim that a hidden SSID that is not connected to isn't secure with any evidence at all.
    – Alex Cannon
    Commented Oct 21, 2021 at 15:47
  • Sorry, I am lost, are you talking to me or to yourself? You are writing an answer, the onus of supporting your claims is entirely on you.
    – kkm mistrusts SE
    Commented Oct 21, 2021 at 18:52
  • @kkm how do you want me to prove a negative?
    – Alex Cannon
    Commented Oct 21, 2021 at 22:01

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .