I do hear about MAC address filtering from time to time. At first, it sounded kind of intriguing, but ultimately it turns out to be kind of like a cheap padlock: it only keeps honest people honest.
Itâll certainly keep the casual or accidental connection from happening, which is fine as far as that goes; but for true security, itâs actually pretty close to not having any at all.
Iâll explain why.
Become a Patron of Ask Leo! and go ad-free!
MAC address
A MAC, or âMedia Access Controlâ address, is a theoretically unique identifier assigned to every network interface card (often referred to as a âNICâ, or network adapter).
Every ethernet port on your PC1, every wireless adapter, and even every Firewire or USB connection that might also be used for networking, is assigned a MAC address. And as I said, they are all supposed to be different â the ethernet port on my desktop machine has a different MAC address than the ethernet port on my laptop, which is different than the ethernet port on the server running in my basement.
Even two otherwise identical network adapters should have different MAC addresses.
MAC addresses are assigned at the hardware level. So, for example, if you move a network adapter from one machine to another, the MAC address moves with it.
MAC address usage
If you know the MAC address of every computer you want to allow to connect to your network, many routers â particularly wireless routers â allow you to restrict access to only those MAC addresses you specify. You collect the MAC addresses from all your laptops, for example (available via the âipconfig /allâ command in the Windows Command prompt) and then enter them into your routerâs âallowed addressesâ list, and you should be secure.
In theory.
How MAC address filtering fails
Iâve used âtheoreticallyâ and âin theoryâ a couple of times above, because there are some inconvenient facts that cause those theories and some assumptions to fall down.
- MAC address filtering does not encrypt. Restricting your wireless routerâs access to certain MAC addresses does not prevent your data from being sniffed. If your data is unencrypted, that data remains visible to whoever might be in range.
- MAC addresses may not be unique. Many network interfaces now come with a default MAC address, but also allow you to manually configure a different MAC address. Itâs easy, then, to configure two network adapters with the same MAC address.
- The MAC address itself is never encrypted. Even if you specify WPA2 encryption on your wireless connection, the MAC address itself is not encrypted. It canât be, as itâs required to tell the computers involved which computer is supposed to receive the packet. Your data is encrypted, of course, but the MAC address is not.
So, letâs say a somewhat knowledgeable hacker is interested in accessing your WiFi hotspot, on which you have MAC address filtering turned on. He or she need only do two things:
- Sniff the network and look at the MAC addresses which are allowed access to the Wifi.
- Configure his network interface to use one of those MAC addresses.
Heâs on, quickly and easily.
Use WPA2 for more effective security
In my opinion, unless youâre aware of the risks above and take them into account, MAC address filtering can actually be worse than having no security at all. It can give a false sense of security, which may lead you to ignore the additional steps that would give you true security.
My recommendation? Turn on WPA2 encryption, which will encrypt your data, keeping it safe from sniffing, and restrict access to the wireless network to those that have the key.
Itâs a lot easier than tracking down all the MAC addresses for all your equipment.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
It seems to me that people who try to avoid using security on thier network like the questioner, should be asked âwould you leave your house front door unlocked and open if you were in the back yard not monitoring it?â Several places I have lived, first thing we did when walking into the house was closing and locking the door. This seems to me like setting up WPAâŠcommon sense and the first thing to do in a potentially unsecure situation.
I use WPA2 and mac filtering so you are saying Iâm wasting my time with the mac filtering. I guess if they get by the WPA2 the mac filter would be no problem.
However, Mac Address filtering, with WPA/WEP AND a hidden SSID provides significantly more security. This allows only those that are authenticated via each level to access the hidden network. You need to know what the SSSID is in order to hack itâŠ
A âhiddenâ SSID is easily hackable. Even if the wireless router isnât broadcasting the SSID all the devices connected to that router are still broadcasting the SSID to get the routerâs attention for service. A semi-competent attacker is quite able to capture these broadcasts. SSID âhidingâ is almost useless. Adding MAC filtering and hidden SSID to WPA isnât significantly more secure, itâs a waste of time. WEP is broken, not secure at all and must be avoided. Just stick with WPA and a complex passcode for adequate wireless security.
I agree with Tom above, hiding a ssid is a waste of time because there are tons of programs, free ones at that, with out digging around for hacking software that will easily give this up.
When it comes to mac filtering this is also a bit of a waste because you can just sit there with sniffing software to pick up the mac address then use spoofing software to make your mac look like a legit one.
You should only use a very tough to crack password for WPA2 only, try not to go with WPA because although harder to break than WEP it is not impossible, when it comes to choosing a password you should not choose anything that is easy to guess, I went to someoneâs house today and the password was their fav football team, this is not secure at all, it needs to be 10+ characters at least with upper and lower and other things like full stops and other allowable characters to make it impossible to remember, this means that the hacker needs to do something like a brute force style attack which takes time, if it takes to long they may go elsewhere.
If you look online there are websites that tell you the quality of the password you have chosen.
Further, I use MAC filtering as part of my method of cutting off network access when the kids are supposed to be off-line (like on a school night).
Also worth looking up how Google Street view survey cars âaccidentallyâ picked up network names #SSIDs# plus some of the traffic #eg e-mails# over unencrypted networks while taking their photographs. So well worth securing any wireless network âŠ
There is really no practical way to âhideâ your networkâs SSID, as some have suggested. You can certainly turn off âSSID broadcastingâ on your router, but thatâs only half the story. While your router will no longer be shouting, âHey, tomsnetwork here!â any wireless devices authorized to connect to the router servicing tomsnework will be shouting, âHey, tomsnetwork, you there?â The result is an easily discoverable network SSID. Ergo, turning off âSSID broadcastingâ on your router accomplishes nothing other than a false sense of security.
It is obviously that both WPA and mac address filtering can secure my wireless network. But does mac address filtering effective to disable the connection of other pc which uses ethernet cable?
In my opinion, MAC filtering is similar to a cheap padlock closing the trap over the real lock. Another analogy would be a 6âł high decorative border fence around your yard. It tells honest peoples that itâs private property and that they are asked not to come in uninvited.
To add to what Tom R. said, hiding your SSID is actualy prety bad, as the âHey, tomsnetwork, you there?â is combined with âIâm Bill with the password xuknçvg xet hu576Ă 2_7Ă©895bvby6â
Whatâs the point in having an extremely strong pass phrase if you are to shout it everywhere?
âIn my opinion, MAC filtering is similar to a cheap padlock closing the trap over the real lock.â Yup, MAC filtering does nothing whatsoever to improve the security of a wireless home network. Realistically, if somebody has the knowledge and determination to be able to bypass your password/encryption, then theyâll absolutely have the knowledge and determination to be able to bypass MAC filtering. At best, itâd delay the intrusion by maybe 30 seconds or so.
Itâs worth noting that WPA2 when used with a strong password/phrase cannot be broken and, consequently, itâs not necessary to put other security mechanisms in place â especially an extremely weak and inconvenient mechanism like MAC filtering.
âTo add to what Tom R. said, hiding your SSID is actualy prety bad, as the âHey, tomsnetwork, you there?â is combined with âIâm Bill with the password xuknçvg xet hu576Ă 2_7Ă©895bvby6ââ â Thatâs not quite correct. Unlike client devices that are set to connect to a broadcast network, devices that are set to connect to a non-broadcast network (constantly) disclose the SSID of that network â the network password, however, is not disclosed by the client. That said, youâre absolutely right in saying that, from a security perspective, a broadcasting network is better than a non-broadcasting network. This is what Microsoft says on the matter (it refers to XP, but is still applicable to subsequent operating systems):
âA non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows ServerÂź 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.â
And:
âFor these reasons, it is highly recommended that you do not use non-broadcast wireless networks. Instead, configure your wireless networks as broadcast and use the authentication and encryption security features of your wireless network hardware and Windows to protect your wireless network, rather than relying on non-broadcast behavior.â
Good point Ray to include Microsoftâs comments on the matter, especially âUnlike broadcast networks, wireless clients running Windows [XP, Server ****, 7, 8, 8.1, 10] [that] are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.â
The problem here is someone taking their laptop out to a public place, and their machine is shouting out for their SSID. Anyone who wants to can monitor the shout outs, and when they get one, set up a Honeypot to pretend to be that SSID. Since that SSID is the preferred and trusted internet source, in short order they are surfing via the Honeypot, and the bad guy is capturing everything they send through.
I suppose if they only connect to and used encrypted sites and logins and data they might still be safe, but if theyâve already blown it using a âhiddenâ SSID, why should we assume they havenât also messed something else and are completely (or largely) vulnerable to that man-in-the-middle Honeypot attack?
@Alain â I never said the passphrase was included in the SSID broadcast, just the network identifier. If youâre using WPA, the passcode is encrypted for transmission to the router.
In order to know which MAC addresses can access your LAN, sniffing is not enough. You need to access the router and there you can see the list. If you have a good login on your router (User and password different from the default and password thatâs a hard one to find out what it is), it is highly unlikely that anyone will be able to do that. The other thing is that some routers (I use TP-Link) have ability to restrict MAC addresses that can access the management of the router. I have 3 MACs that can access the router at all. I use no encryption on the network. There are 3 MACson the planet that can access my router and then they need my 44 characters password and my user ID (Which surprisingly isnât admin or Admin :-) ).
On Access points that widen the range of my WiFi, besides them not doing the DHCP, I use that same security and a long and winding password for the WPA2-PSK. The main router has no encryption and no one can access or connect to my WiFi unless I allow it (And I have some 45 MACs permitted).
The main reason I go through such great trouble is that encryption and decryption of every packet of data will delay the transfer a bit and I want it to be as fast as possible.
Besides, I use âWhoIsOnMyWiFiâ which tells me when something I did not authorize tries to connect. I tested it, but after the test, there never was any unauthorized access to my LAN.
In short, in my opinion and from my experience, if you know what and how, encrypt critical data on your computers and smartphones/pads, so theyâll be safe even if they fall into the wrong hands, but other than secondary access points or repeaters, there is no point encrypting the LAN packets if you have a good login on your router and are using management permissions on it and use MAC filtering only for the LAN (Just make sure when anyone you allow in has a new laptop/pad/smartphone, to get it and put it in the allowed list and take out the old MACs that are no longer in use by those you allow in).
(My humble opinion)
âIn order to know which MAC addresses can access your LAN, sniffing is not enough. You need to access the router and there you can see the list.â â Thatâs totally and completely incorrect.
âThe main reason I go through such great trouble is that encryption and decryption of every packet of data will delay the transfer a bit. â Unless somebody is using hardware thatâs a decade or more old, the loss performance loss will be minimal. Imperceptible, in fact.
âI use âWhoIsOnMyWiFiâ which tells me when something I did not authorize tries to connect.â â Which is all well and good if you happen to be at home â and awake! â to take the necessary action. Otherwise, itâll do nothing to keep people off your network.
Bottom line: WPA2 is a better and far more secure choice.
I used to use MAC address filtering. I donât know how many minutes I wasted trying to add a device to my network and couldnât get it working. Then I would remember that I had MAC address filtering on. I would have to dig up the MAC address of the new device, reconfigure the router and then try adding the device again. I think the only person inconvenienced by my MAC address filtering was me!
Ha! Absolutely right. Realistically, a hacker could bypass MAC filtering in less time than itâd take you to log in to the router and create a new rule!
Probably the best argument yet. MAC filtering and not broadcasting the SSID would probably stop the vast majority of people getting into your network, as most of those are mooching neighbors or drive-by moochers who go for the low hanging fruit, but itâs so much simpler to use a strong WPA2 password and fugetaboutit. Not to mention that you just might be that one person in a thousand who is attacked by hacker.
Hi, SSID and pw are said to be a guard. Wp2 encryption is also not safe. I have configured my modem and after using some hours, i i changed the ssid and pw, and then saved the router settings.
this i had done in my laptop thro wifi connection.
Then closed the laptop. Boot the computer and i could not access the internet, saying so many things, like, i do not have a lan on a valid ip,modem is having connectivity issues, Dns server problem and whatnot.
I could not log in to the router page to configure again. I called the help desk, and they asked me to go to the router page. I said that is the problem. the help told to me to reset. OH, all was gone. My router was restored to factory default and i could not do anything.
Went to the technical person and he used some ipconfig commands, and accessed the router page and then again entered the usual settings manually to get the internet access.Now the problem is more, as the router pages are used commercially nowadays.
Ok, what is the cure to this. Buying a new modem, which when reset should be able to give internet access, rather than configuring again all over.
Leo would probably come with better suggestion. And i would request him to take the concerns of users . Normally port 80,23,and 21 are shown as vulnerability ports, which allows easy access to malicious programs and router hacks.