Is it considered bad practice to use company name as part of an SSID?

"Hiding" your SSID is just "security by obscurity" - like hiding the front door key under the mat. It works only as long as no one figures it out. Once it is figured out, it provides zero security.

In general, you want security measures that will work even if everyone knows what measure you've used.

Yes, by providing your name, any opportunist can focus on your network if they have that desire, but just having a WiFi network broadcasts that a network is there, anyway. If someone is targeting you specifically, they will find your SSID, even if you obscure or hide it.

So, hiding or obscuring the SSID provides very, very low protection. Unless you have a specific reason to need such specific, low, and opportunistic protection (and there are possible reasons), I'd focus on securing the network instead.

As JPhi1618 and emory point out in the comments, you could even create a security issue by using a nondescript SSID: If you set it to df42Sdd235f2, for example, then someone could set up a WiFi network with your company name or even df42Sdd235f3 in order to attract people to connect to it instead of your corporate network and the victims would not have any clues that the network was not the official network.


It doesn't help for reasons described in other answers. And there is actually a way for an attacker to use strange SSIDs against you. If your access point authenticates itself with a certificate and its SSID is "Company", then no attacker can claim to be "Company". They would need to choose another SSID, so there would obviously be two networks and this would hopefully make employees think about which one is right (and notify/ask someone who would be able to tell that this is an attack).

If the official network is "iewrbfpwh" and an attacker creates a network "Company" you can be sure some people would connect to it by mistake.


From a security perspective, is it considered bad practice to use the company name as a part of an SSID?

No.

Would I be overthinking this if I required wireless network SSID's to be random strings?

Yes.


While doing this may prevent the simply curious, this will in no means deter an interested or determined attacker. Effective security should always put more burden on the attacker than the resource being protected. So let's examine this a bit.

Even if you are in a large multiple story building in the center of a large metropolitan business district (probably the extreme example of "located in a densely populated area with a lot of 'competing' wireless networks"), it would take no more than knowing you were there, a moderate amount of access (for example stairwells typically are easy to access for escape purpose and will suffice for the purpose), a laptop running Linux (or other OS with specific tools available), and 10-20 minutes to figure out which wireless network(s) were yours. Having some other 802.11 tools available and/or more access, it could be done easily in less than 10 minutes.

If you have a guest network that is easily recognizable by visitors, it's possible to determine your networks in less than a minute.

Now, compare that to the burden put on your users and IT staff. How confusing this would be to them, how many mistakes were made, how many times the questions are asked, etc. Depending on the size of your organization, this would be well over 10-20 minutes per day and would certainly be much more when you first establish this policy (each device would have to be "touched" in some fashion, etc).

This fails the test of effective security and enters the realm of security theater. There is really no security benefit to this type of action.

Tags:

Wifi

Obscurity