Is it really possible for most enthusiasts to crack people's Wi-Fi networks?

Without arguing the semantics, yes the statement is true.

There are multiple standards for WIFI encryption including WEP, WPA and WPA2. WEP is compromised, so if you are using it, even with a strong password it can be trivially broken. I believe that WPA is a lot harder to crack though (but you may have security issues relating to WPS which bypass this), and as of October 2017, WPA2 also offers questionable security. Also, even reasonably hard passwords can be brute-forced - Moxie Marlinspike - a well known hacker offers a service to do this by for US$17 using cloud computing - although its not guaranteed.

A strong router password will do nothing to prevent someone on the WIFI side transmitting data through the router, so that is irrelevant.

A hidden network is a myth - while there are boxes to make a network not appear in a list of sites, the clients beacon the WIFI router thus its presense is trivially detected.

MAC filtering is a joke as many (most/all?) WIFI devices can be programmed/reprogrammed to clone an existing MAC address and bypass MAC filtering.

Network security is a big subject, and not something amenable to a Superuser question, but the basics are that security is built up in layers so that even if some are compromised not all are - also, any system can be penetrated given enough time, resources and knowledge, so security is actually not so much a question of "can it be hacked", but "how long will it take" to hack. WPA and a secure password protect against "Joe Average".

If you want to enhance the protection of your WIFI network you can view it as a transport layer only, and encrypt and filter everything going across that layer. This is overkill for the vast majority of people, but one way you could do this would be to set the router to only allow access to a given VPN server under your control, and require each client to authenticate across the WIFI connection across the VPN - thus even if the WIFI is compromised there are other [harder] layers to defeat. A subset of this behaviour is not uncommon in large corporate environments.

A simpler alternative to better securing a home network is to ditch WIFI altogether and require only cabled solutions. If you have things like cellphones or tablets this may not be practical though. In this case you can mitigate the risks (certainly not eliminate them) by reducing the signal strength of your router. You can also shield your home so that frequency leaks less - I've not done it, but strong rumour (researched) has it that even aluminum mesh (like fly screen) across the outside of your house, with good grounding can make a huge difference to the amount of signal that will escape. [ But, of-course, bye-bye cellphone coverage ]

On the protection front, another alternative may be to get your router (if it's capable of doing it, most aren't, but I'd imagine routers running openwrt and possibly tomato/dd-wrt can) to log all packets traversing your network and keeping an eye on it - Hell, even just monitoring for anomalies with total bytes in and out of various interfaces could give you a good degree of protection.

At the end of the day, maybe the question to ask is "What do I need to do to make it not worth a casual hackers time to penetrate my network" or "What is the real cost of having my network compromised", and going from there. There is no quick and easy answer.

Update - Oct 2017

Most clients using WPA2 - unless patched - can have their traffic exposed in plaintext using "Key Reinstallation Attacks - KRACK" - which is a weakness in the WPA2 standard. Notably, this does not give access to the network, or the PSK, only to the traffic of the targeted device.


As others have said, SSID hiding is trivial to break. In fact, your network will show up by default in the Windows 8 network list even if it's not broadcasting its SSID. The network still broadcasts its presence via beacon frames either way; it just doesn't include the SSID in the beacon frame if that option is ticked. The SSID is trivial to obtain from existing network traffic.

MAC filtering is not terribly helpful, either. It might briefly slow down the script kiddie that downloaded a WEP crack, but it's definitely not going to stop anyone that knows what they're doing, since they can just spoof a legitimate MAC address.

As far as WEP is concerned, it is completely broken. The strength of your password doesn't matter much here. If you're using WEP, anyone can download software that will break into your network pretty quickly, even if you have a strong passkey.

WPA is significantly more secure than WEP, but is still considered to be broken. If your hardware supports WPA but not WPA2, it's better than nothing, but a determined user can probably crack it with the right tools.

WPS (wireless protected setup) is the bane of network security. Disable it regardless of what network encryption technology you're using.

WPA2 - in particular the version of it that uses AES - is quite secure. If you have a decent password, your friend is not going to get into your WPA2 secured network without getting the password. Now, if NSA is trying to get into your network, that's another matter. Then you should just turn off your wireless entirely. And probably your internet connection and all of your computers, too. Given enough time and resources, WPA2 (and anything else) can be hacked, but it's likely going to require a lot more time and a lot more capabilities than your average hobbyist is going to have at their disposal.

As David said, the real question is not 'Can this be hacked?' but, rather, "How long will it take someone with a particular set of capabilities to hack it?" Obviously, the answer to that question varies greatly with respect to what that particular set of capabilities is. He's also absolutely correct that security should be done in layers. Stuff you care about shouldn't be going over your network without being encrypted first. So, if someone does break into your wireless, they shouldn't then be able to get into anything meaningful aside from maybe using your internet connection. Any communication that needs to be secure should still use a strong encryption algorithm (like AES,) possibly set up via TLS or some such PKI scheme. Make sure your e-mail and any other sensitive web traffic is encrypted and that you aren't running any services (like file or printer sharing) on your computers without the proper authentication system in place.


Update Oct 17, 2017 - This answer reflects the situation prior to the recent discovery of a major new vulnerability that affects both WPA and WPA2. The Key Reinstallation AttaCK (KRACK) takes advantage of a vulnerability in the handshaking protocol for Wi-Fi. Without going into the messy cryptography details (which you can read about at the linked website,) all Wi-Fi networks should be considered broken until they are patched, regardless of which particular encryption algorithm they're using.

Related InfoSec.SE questions regarding KRACK:
Consequences of the WPA2 KRACK attack
How can I protect myself from KRACK when I can't afford a VPN?


Since other answers on this thread are good, I think that, for those requesting a concrete answer (well... this is SuperUser, it is not?), the question could easily be translated as: "What should I know to make my WiFi network secure?".
Without negating (nor confirming) any of the other answers, this is my short answer:

The words of the cryptologist Bruce Schenier could be worthwhile advice for many users to remember:

The only real solution is to unplug the power cord.

This can often be applied to wireless networks: do we constantly need it working?
Many routers have a WiFi button to enable/disable wireless, like the D-Link DSL-2640B .
If not, you can always automate web enabling/disabling of wireless by using tools like iMacros (available as an extension for Firefox or as a standalone program) on Windows and many others on Linux.

And here are two tricks for WPA (please, forget WEP) password (a good WPA password will make attacks very difficult) creation (do not keep the default password) :

  1. Use nonexistent and/or foreign words: SilbeasterStallonarius, Armorgeddon, HomecitusSapiensante (as no simple dictionary can be used to find them).
  2. Create your own easy-to-remember (for you at least) sentence and define your password by taking the first character of each word. The results will be a hard-to-crack (8 characters minimum) yet easy to remember password that includes uppercase and lowercase letters, numbers and some other non-alphabetic characters:
    "You have two sons and 3 cats, and you love them." --> "Yh2sa3c,aylt."

And, for the sake of God: disable WPS right now! It is totally flawed.


None of the things you mention (apart from the network password) really affect the hacking of a Wi-Fi network. Insomuch as a MAC address filter and hidden SSID does nothing really to help in terms of security.

What really matters is the encryption type used on the network. Older network encryptions like WEP were trivial to break because with enough traffic you could decode them, and you could force them to generate the traffic you needed.

Newer ones like WPA2 are much more secure however. Now, nothing is 'secure' against all adversaries, but this is usually enough for home Wi-Fi.

It's a large topic, and this only touches on the tip of the iceberg, but hopefully it helps.


WEP and WPA1/2 (with WPS enabled) can be hacked trivially; the former by using captured IV's and the latter with a WPS PIN bruteforce (only 11,000 possible combos, from a 3 part pin; 4 digits [10,000 possible] + 3 digits [1,000 possible] + 1 digit checksum [computed from the rest]).

WPA1/2 are tougher with a strong password, but using GPU cracking and a bruteforce technique can bust some of the weaker ones.

I've personally cracked WEP and WPS on my work network (with permission, I was demonstrating the vulnerabilities to my employers), but I've yet to successfully crack WPA.