Why You Shouldn’t Disable Your SSID Broadcast

Written by: Bill Bunter • Edited by: Bill Bunter
Updated May 21, 2009 • Related Guides: Microsoft | Wireless Network

Numerous websites recommend disabling your SSID broadcast on wireless network access points. But it’s a bad idea. This article explains why.

Google “Wireless Security” and you’ll find numerous websites which recommend that SSID (Service Set Identifier) broadcasting be disabled on wireless network access points. In fact, you’ll be hard pressed to find a website that recommends leaving it enabled. According to Steve Riley, a senior security strategist in Microsoft's Trustworthy Computing Group, the claim that disabling broadcasting can enhance security is, “A myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.”

What is SSID Broadcasting?

The SSID is the name of your network and broadcasting it enables the people who need to use the network to be able to find it and connect to it easily. When you click on the icon in your Taskbar to view available networks, the networks that you see are listed because they’re broadcasting their SSIDs. Unfortunately, broadcasting the SSID also enables your network to be easily discovered by hackers – at least, that’s what the websites which recommend disabling SSID broadcasting would have you believe. The reality is, however, very different. Disabling broadcasting can actually compromise your security as explained in "Why Non-broadcast Networks are not a Security Feature" from Microsoft. Furthermore, tools such as Kismet enable non-broadcasting networks to be discovered almost as easily as broadcasting networks.

Why You Shouldn't Disable SSID Broadcasting

Disabling broadcasting will also make life more difficult for the people who need to be able to connect to your network. Should you choose to disable your SSID broadcast, you’ll almost certainly see an increase in support calls from staff who are unable to find and connect to your network. But that’s not the only problem. Should your staff not be able to see your network, they may end up connecting to one that they can see – and that network may not be secure meaning that your company data will be whizzing through the air in unencrypted form.

SSIDs were meant to be broadcast, so go ahead and broadcast them! Doing so will not in any compromise your security.

One other thing that’s worth mentioning: many of the websites that recommend disabling your SSID broadcast also recommend enabling MAC filtering. Don’t do it! MAC filtering is so incredibly easy to bypass that it provides no real security whatsoever – and certainly not enough to even to begin to justify the time it takes to set up.

To find out how to properly secure a wireless network, see our article on the subject and also see Microsoft’s document Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home Office or Small Organization Networks.

jr Jul 4, 2011 1:21 AM

don't use WEP

Anonymous wrote:
"c) Use a WEP Key"

That's the wrong answer!! Use WPA since WEP is rather easy to decode.

Will Mar 8, 2011 1:17 PM

Bad Advise

For you IT guys & gals this is a classic example of "Social Engineering" true disabling your SSID doesn't mean your private network is Ft. Knox but every bite of security helps. This is like saying why lock your car door (w/your GPS mounted on the dash) when you can just break the window?? So what do you do to discourage a potential theif? You hide your GPS and still lock your car door...

wi-fi creator Oct 9, 2010 4:04 PM

RE: Why You Shouldn’t Disable Your SSID Broadcast

@GAS: keep your low level knowledge about wireless networks security to yourself please. The wlan you describe is crackable in 20min max. Noob.

Davo Aug 29, 2010 4:37 AM

You should disable your SSID broadcast

OK, I've read the Microsoft article, and as far as I can tell the article warns against solely relying on not broadcasting your SSID for your security. I think what they are saying is some people just have their WAP security set to No Authentication, and instead choose not to broadcast their SSID - and they think this will be secure, which of course it isn't. However if you have WPA/WPA2 set on your router, and choose also not to broadcast your SSID then this is fine. Not broadcasting your SSID does not leave you open to attack, it is just another security prevention measure you can take, albeit one which can be circumvented. Obviously the main thing is to have strong security/encryption configured on your router.

Philippe Jul 21, 2010 12:09 PM

I think that the logic is that if somoene can crack your WPA2 password, it will be very easy for him to crack your SSID and MAC address. If he can't crack your WPA2 password, he can't access your network, so as other said, a strong WPA2 password is all that is needed.

JonesyBoy Jul 5, 2010 11:23 AM

Truly, it seems like the most effective security measure is a strong WPA2 passphrase. It is not immediately obvious to me why having a hacker discover your non-broadcast network with Kismet (or any other software) is inherently more or less secure than having your SSID be broadcast. Either way, they'd have to crack your passphrase -- more than likely by brute force.

Chris Jun 21, 2010 7:52 AM

Relying on SSID hiding an MAC-filtering is not only stupid but also dangerous.
As described in this article: http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43 there are 4 other mechanisms, which tell you the SSID of a WLAN: probe requests, probe responses, association requests, and re-association requests. So the only thing you need to do is sniff or try and connect to the WLAN.
The only way to really secure your WiFi is by using WPA2 (read WPA/WPA2 with AES encryption) with a strong key.
If you are tech savvy you could even be held responsible if you do not secure your WiFi as good as possible and someone uses your WiFi for illegal doings!

GAS May 15, 2010 4:59 AM

Lame article

scaremongering tactics used in this article. May be the author himself likes to hook on to open wi-fi when he is on the move and hence he is preaching it !!

If you are a "home" user
a) Disabling SSID is indeed recomended &
b) Enable MAC filtering &
c) Use a WEP Key

Jason Mar 11, 2010 9:17 AM

So you are suggesting users broadcast their network as well as not bothering to set up a mac filter? This is hardly sound advice, they both add a layer of potential security in comparison to having neither set up.
For a home network both the mac filter and disabling the ssid broadcast is not only simple to do but does indeed offer more security to their network, whether it be minimal or not the benefit is still there and recommending both be disabled is due to the hassle they cause is ridiculous.

Bill Bunter Jul 13, 2009 7:06 PM

@mab: see the second in the article, in particular the section entitled, "Why Non-broadcast Networks are not a Security Feature." Using encryption will protect your network from both skilled hackers and unskilled bandwidth bandits; disabling SSID broadcasting will, as explained, reduce security.

mab Jul 13, 2009 6:19 PM

hardly a reason not to enable hidden SSID

the majority of people are not IT proffesionals nor hackers, for the average home user hidden SSID's of course will add extra security from petty theif type hackers, it in no way makes it less secure.

test: leave a network open and then that same network hide the SSID, i think youll find less people bumming off the network with the hidden SSID

Bill Bunter Jun 12, 2009 4:57 PM

LTN,

See the second link ("Why Non-broadcast Networks are not a Security Feature")

LTN Jun 12, 2009 3:10 PM

Yeah but who cares when you are at home. And stfu about kismac, it says ''hidden network" or ''unknown network" when I do a scan. It was never intended to be a security feature for me. If you are the only one using your router why the hell do you need to broadcast your SSID. Though I concur that Mac Filtering is pointless and that AES WPA key is more sufficient

Why You Shouldn’t Disable Your SSID Broadcast

Comments