It is also important to note that with WPA2-PSK, your ESSID does play a part in the security of your network because of the following:ĭK = PBKDF2(HMAC−SHA1, passphrase, essid, 4096, 256)Įssentially, WPA2-PSK uses your ESSID as the salt when running PBKDF2.
This is important because you wouldn't want just anybody with access to the network to be able to decrypt the CEO's wireless communications. That is not possible with WPA2-Enterprise, because it uses EAP, which has a different encryption key per individual via the EAP mode. The main difference between the two of these, aside from the method of authentication and authorization, is that with WPA2-PSK, if someone knows the PSK and can capture the handshake of a user, they can decrypt their stream. My suggestion is to use WPA2-PSK with a strong key for personal networks or WPA2-Enterprise with a strong EAP mode (PEAP or TLS) for enterprise networks. From there, they have access to your network. In encrypted networks, they will need to sniff and grab a new handshake (which can easily be forced via a deauth attack).
Simply put, MAC filtering is not something that needs to be "cracked." In open networks, people simply only need to sniff the air and they will be able to see what devices are working, and then they can use one of many, many extremely simple tools to change their MAC address. In addition to all of these reasons, MAC filtering is also much more of a pain in the butt to upkeep than instituting something like WPA2-PSK.
For encrypted wireless, the MAC address is either a part of the initial handshake (used to derive the session key), and/or exposed during pre-encryption communications. In order for wireless to work, MAC addresses are exchanged in plaintext (Regardless of whether you're using WEP, WPA, WPA2, or an OPEN AP). The reason why it's not a part of the 802.11 spec is because it provides no true security (via kerckhoff's principle). MAC filtering is not a part of the 802.11 spec, and is instead shoved into wireless routers by (most) vendors.