Sharing wifi at a business - Bad Policy?
You can't allow customers to be on the same network as your own computers.
A lot of new WiFi access-points take care of this for you, by creating two wifi networks, where the "guest" network does not have access to internal computers. The Cisco/Linksys 4200 is what I have at home for guests, and it's easy to setup, but there are many other systems that have the same feature.
Is it safe for a small business to let customers use their wifi while waiting?
No. Even if no customer intentionally attacks his WiFi network they could be carrying some type of malware on their laptop/smart phone/portable device that might spread. Additionally the WiFi signal doesn't end at the front door. You have probably connected to a WiFi some place and seen other networks you didn't recognise. Those network didn't necessarily intend to extend their signal to you. Your friend could accidently extend his signal to neighboring businesses. In that case he would be sharing his personal network with more than just his customers. As Robert Graham suggested set up a separate guest WiFi for customers.
the wifi password should be easy so the receptionist can give it to patients. (Though he doesn't expect patients to wait long or most to ask and expect wifi).
Making the WiFi password for the guest WiFi simple is fine as long as it is separate from the business network and the business network uses a strong password. I would still recommend periodically changing the guest WiFi network password, perhaps every month. At the end of the month he does the accounting and changes the WiFi password.
I'm telling him he needs a very strong WPA2 wifi passphrase and to keep it private
Absolutely. Also he needs to change it periodically. I probably don't need to say that he also needs some type of anti-virus software for all of his computers.
Is there a secure way to let the public use your wifi that is monitored by non-tech savvy people (once properly setup)?
Not that I know of, again I like Robert's suggestion; set up a separate guest network. Even a moderately skilled computer user will have difficulty with the tools used to analyze network activity. Even if the setup was secure at the begining, IT security is a continually changing problem. One of the best current defenses is to keep your equipment and software up to date. Imagine that the particular wireless access point he is using turns out to have a security vulnerability. At some point the vulnerability is discovered and the vender releases a firmware update. Who would install the update? If neither your friend nor anyone on his staff could do it, would he feel comfortable letting a vulnerable WiFi access point connect to his business?
Or is the only option for small-scale users (without enterprise solutions) to just not allow random users on their wifi?
That is one option, but I like the separate guest WiFi access better.
Simple MAC address filtering is probably too burdensome on the receptionist
Yea, I don't see that as an option. Not only is it rather burdensome, but it is probably the simplest form of security to circumvent. A little wifi-sniffing + MAC clone gets anyone past the gate not to mention lack of data encryption.
Would it be possible to say have a white list of a few MAC addresses that we use; and allow other MAC addresses ~2 MB of unrestricted bandwidth at which point there connection starts getting severely throttled?
Or is it possible to setup a scheme to generate a one-time passwords that will expire after the first of ~2MB or 2 hrs of use?
Yes, but I think you want to keep this much simpler. Using a separate guest WiFi access point will save a lot of work trying to keep the guests, and unwanted guests, away from the business stuff.
The easiest way to enforce the time limit is to change the password, and I wouldn't recommend changing the password more often than daily. I think changing the password ever week or two is good, up to a month is likely ok. Additionally you could set a electrical socket timer (for example: http://www.amazon.com/Woods-59377-Digital-Appliance-Settings/dp/B000IKQRTU) to turn on during business hours and turn off after hours, which would reduce the exposure of the WiFi to attackers.
To distribute the password I would buy some inkjet or laserjet ready business card sheets (for example: http://www.avery.com/avery/en_us/Products/Cards/Business-Cards) and print out a simplified business card with the dentist's name, address, phine number, and guest WiFi password. The receptionist just has to hand out the cards.
Note: I not affiliated with Avery, Amazon, or Woods. The examples are not recommendations.
Letting guests come on your network is not a good idea. But this has already been said.
A major point that must must be remarked is that even for guests, you need identification and authentication. In fact (I am not aware of your laws) you want to make sure to be able to track back any user of your WiFi in case of a legal problem. If someone comes and tells you: "You have hacked our systems," you need to know who did it.
If I had to choose a solution, I would go for a captive portal that wouldn't allow anyone to access the internet unless provided with credentials. Therefore you (or the receptionist) could issue credentials for guests and register them into your database. These credentials would be time-limited on purpose.