I always hear “CHANGE THE SSID” on your home router. There are two parts to the SSID, correct? The network name and the network password to connect. I realize that the password needs to be changed from the default of admin or whatever, but are people still suggesting that the SSID network name be changed as well? I can see changing the network name to something other than “Linksys” so that you know that it’s yours, but why does it matter if others can see this name? All that matters is changing the SSID password, correct?
Well, to begin with, a couple of concepts have gotten confused in your question.
There’s no such thing as an “SSID password”. The SSID is simply the identifier that a Wifi access point can broadcast to let you know that it exists.
The SSID can be changed, and there are good reasons to do so. Broadcasting the SSID can also be disabled, but whether that actually helps anything is debatable.
And finally, this isn’t really a router thing because there are routers that have no wireless capabilities and thus, they have no SSID to worry about. This is really a wireless access point thing – whether that access point is a separate device or combined with a router in a single package.
Become a Patron of Ask Leo! and go ad-free!
That password thing
Even though it’s completely unrelated to the SSID, let’s first deal with the password issue.
As outlined in How do I secure my router?, there are actually two passwords that you need to concern yourself with:
- The password used to gain administrative access to the router’s configuration
- The password used as part of WPA encryption used to secure your wireless connections
You should change the first one from its default. Otherwise, anyone with access to your network can reconfigure your router. I have heard of malware that can do exactly that if you leave the password unchanged.
You should add the second – WPA encryption – if you have not. Otherwise, anyone within range can possibly “listen in” on your wireless data.
But neither really have anything to do with SSID.
Change the SSID
You’ll need to access your router’s configuration to alter these settings. Exactly how you do that varies from router-to-router, so check your router’s documentation for instructions.
My example uses a LinkSys WAP54G wireless access point, which is a device separate from my router.
In its configuration, I navigate to the Wireless tab, Basic Wireless Settings page:
Everything that we want to look at is on this page in this access point.
The Network Name (SSID) usually defaults to something that is the same for every one of the access points or routers made by the same manufacturer. Typically, that’s the manufacturer’s name – LinkSys, in this case.
As you can see, I’ve changed that to something else:
I’ve named this access point “NOTENLAN-FR”, something that clearly identifies this particular access point and the network to which I have it attached.
You can choose pretty much any name that you like. I’ve seen SSIDs called things like “Fluffy Bunny” or “Connect here for malware” – the later being a semi-facetious way of telling strangers not to try to connect. (With WPA enabled, they would not be able to anyway, unless they had the proper password.)
But as you’ve pointed out, it is good to set it to something unique, so that you don’t accidentally connect to some other access point and questionable network with the same name as yours.
Broadcasting the SSID
There’s a diversity of opinion on whether or not it’s helpful to not broadcast your SSID.
As you can see above, mine is set to broadcast.
What does that mean? It means that it shows up in lists like this one:
The available networks there are those whose SSIDs are being broadcast by wireless access points in range.
If you disable the broadcast of the SSID, the wireless network does not appear here. You can still connect to it manually if you know the SSID (and WPA password, if appropriate), but it won’t show up in these types of lists automatically.
Broadcasting the SSID and security
There’s a misconception that not broadcasting the SSID makes your wireless network more secure.
That’s actually only partly true.
If the SSID isn’t being broadcast, your wireless network won’t show in those “nearby networks” lists. It’s a form of security by obscurity in that it keeps your neighbors or anyone else within range from connecting accidentally or otherwise.
However.
It’s not really secure. Your network is still technically visible; the packets going to and from your access point can still be intercepted and interpreted. It’s slightly more difficult, but still quite possible. Disabling the SSID broadcast doesn’t really protect your network from someone who’s knowledgeable and intent on connecting.
You still need that WPA password to do that.
So, disable the broadcast or not. Just realize what security you are and more importantly are not getting when you do so.
I had a customer who was getting redirected on Google searches. I was convinced it was the TDSS Rootkit but couldn’t find it on his system. I eventually realized he was running his wireless router with the default user name and password and that it had been indeed been hacked during a previous malware infection. The customer had contacted me because he was convinced the first tech that cleaned his computer hadn’t done a good job. The virus wasn’t on his computer any more but had already changed his wireless router settings to redirect web searches. A simple fix: Reset router to factory settings and change default user name and password.
Between broadcasting the SSID or not I would choose not for one reason. If your SSID is out there people within range know you are probably around. If you turn your router off when you go away then it’s possible, although admittedly unlikely, that the location of your empty house/apartment could be identified.
I had the Google redirect malware on one of my machines. I kept removing it using some well documented steps I found in a Google search but eventually it would return. I ended up using Malwarebytes and Spybot Search and Destroy to remove it once again and then I replaced AVG anti-virus with Microsoft Security Essentials and the rat has never returned. Having such a great AV tool being given out by MS for free makes me wonder what they are up to by doing so, but I gotta say it is the best AV software I’ve ever used and the price is right.
I always advise my (home based) customers to use an SSID that will not identify their home as the source. The biggest threat to privacy in a residential neighborhood is usually A NEIGHBOR. Why create an SSID that tells the viewer what house it comes from? So, no last names, no kids names, no house numbers . . . and yes, I also change the default admin settings, including the “linksys” user name. The goal is, give the nosey neighbor nothing of use.
Personally as long as the wireless is secured with WPA2 encryption I don’t see much harm in broadcasting my SSID around the neighborhood (and it’s obviously mine by name).
28-Jan-2012
Not broadcasting the SSID helps in certain situations. I work in a place where we have two routers. One for the public, without security key and another one for the employees, secured wifi. We mask the SSID for the secured router, so that the public does not see it, and only the employees with SSID and password can connect.
There are quite a few phones and other devices that show a list of all networks being broadcast or not. In addition, some laptops, media devices (cable, roku boxes, receivers) won’t connect even manually to non-broadcasting SSID’s even with the password. So not broadcasting your SSID is becoming a mute point and may just add a hassle in connecting a laptop or other device.
When your access point does not broadcast the SSID, it helps but…
When you turn on your laptop – the one that knows it’s looking for a LAN named ‘Kitty’ and should preferentially connect to ‘Kitty’ if it’s availabe, as soon as it wants to connect starts ‘shouting’ the equivalent of “Here, kitty kitty kitty?”. It’ll do that when you’re at Starbucks, too, even though there’s no “Kitty” around.
So malicious listeners-in will know the name of your home network even though it’s not broadcasting its SSID.
That and other annoyances when the access point is more-or-less anonymous have convinced me that turning off ‘broadcast SSID’ is a waste of energy. WPA, or at the very least (and it IS the very least) WEP is mandatory.
WEP is pointless. If security is an issue at all, WPA2 or better is mandatory.
28-Jan-2012
This may sound incredible; but I have encountered one combined Router & Wireless Access Point, in which the SSID had been changed from-
the Default of basically the maker’s Name & Type
to
the Full Street Address of where it was installed.
Whilst probably not affecting the WiFi Security, it certainly did give an indication of a significant computer installation, fortunately limited by the working range of the WiFi.
I echo the comment made by Art Yaffe:
I hadn’t thought of this FACT until recently. I have turned my SSID broadcast back on at home and UNchecked the “Connect even if the network is not broadcasting its name (SSID)” property in the “Manage Wireless Networks” Control Panel.
The other method of securing a wireless network that I use on top of the WPA password is that I have to manually add the MAC address for computers that can use my network. This is on a Linksys WAG160N modem router
Why do we think James Bond is going to drive his Masserati to our driveway and start his high tech hacking? Won’t even he look for a visible SSID and use it instead? The whole contention that not broadcasting the SSID seems stupid to me.
Really protecting your home network should consist of three layers, none of them including WEP or WPA, which are also stupid placebos.
1. Turn off SSID broadcast. If they don’t know you’re there, they won’t even try to log on. Your neighbor broadcasts his and they won’t even think to ignore that and look for hidden ones. Who are we fooling anyway?
2. Engage your MAC address whitelist, STUPID!!! Tell your router which computers belong on your network. The others have to buzz off. The list isn’t accessible because you’ve changed the name of your SSID and have a secure administrative password for the router. Yes, it’s possible to use brute force to get in. No it won’t happen anytime soon.
3. Now initiate and use your router’s logging capability to log entries to your network. You can check it once in awhile just to make sure nobody you don’t authorize gets in. They won’t. This is just to make you feel good and prove my point.
In order not to be eaten by the bear, you don’t have to be the fastest runner, just the second slowest.