I agree that hidden SSIDs are not a barrier to penetration. In much the same way that MAC address filtering doesn't protect your network either, because it's so easy to spoof a MAC address. Anyone trying to actually penetrate a network would get past both of those things fairly quickly. They're tiny little things which result in requiring an extra step to connect.

In fact, for normal legitimate users trying to connect to a router on a simple network (like a home or a small business), they often add a level of complexity to connection which causes additional tech support hassles for the owner of the network. I would argue against them being Standard Practice in those simple cases. I'd say that anyone who is blindly hiding their SSID, or MAC filtering, because they think it improves security, without thinking about why, is going about security in the wrong way. Your point that the feature can be dangerous, for that reason, is well taken.

But... There are important reasons for those features to exist, some of which I think are actually standard practices. More on that below.

First, one quick aside: Since those features are standard features on a router, I would definitely dock the manufacturer points in a product review for not including those features. I'd wonder what else they left out, under the hood, when they decided to exclude such common features. It would call into question their development and QA practices, and I would have trouble trusting a router whose firmware left those things out.

But that's not the argument you're making. You're arguing that SSID hiding isn't a standard security practice because it's useless for security. Maybe the SSID hiding doesn't increase the security, but it can be an important part of a larger network security plan. There are legitimate reasons besides security that someone would want to use that feature.

For example, hiding some of a company's SSIDs in a large company with a complex network would clean up the list of available SSIDs for those connecting to the visible networks, and make it easier to select the correct SSID. Imagine a company where the hidden SSIDs were only meant to be connected to by a subset of computers who had been set up with a particular group policy or a particular set of distributed WLAN profiles. The idea is that those computers' users are never expected to have to type the SSID or its password, they just run the group policy or the WLAN profile to connect. In that case, you could use the SSID-hiding as a way to automatically filter those special GP-only networks out of the list of available networks. That way, the PEBKAC users and guest users trying to connect to the regular, visible networks by hand, aren't calling up tech support and asking why they can't connect to the GP-only SSIDs. I suppose from that point of view, you could say the SSID hiding *is* related to security... it's just one of a *set* of important features that allows you to cleanly tier your network access. It doesn't make those routers any more secure, but it's an important part of the larger overall network security policy.

Similar thing with MAC addresses. Our company recently implemented MAC address filtering on our network. Each AP has a highly secure password and is using the latest security protocols already, but they are also MAC filtered. Before you can use one of the AP's, you must first connect via either the wired network, or via another PC which is already connected, and then you must fill out an internal web form with your MAC address, and specify which networks you want to connect to, and what your purpose for connecting is. And then you must wait for IT to add your MAC address. I needed to get something on the Wlan last Friday and couldn't, because IT was on an offsite meeting and wasn't answering those requests. Wow, what a pain! And a management headache too: I asked the IT manager why on earth would he cause himself and his users such a massive headache for zero security benefit. He had an answer similar to the one above: The MAC filtering wasn't a way to prevent access, it's simply a convenient filtering method that allows them to keep organizational track of which users are requesting access. Then be able to track which addresses are being used for what, so they can match things up if something goes wrong. I *get* this. Even though MAC address filtering would be completely useless on my home network because it doesn't help actual security and just makes things hard when I have guests over, I could really see this helping an IT guy keep his user base organized at a large company.

I'm sure there are other legitimate reasons for using those features, even if, when taken by themselves, the features aren't secure on their own. Some of those reasons could likely be considered Standard Practice as well.

Finally, keep in mind that twitter limits your ability to explain your answers. 140 characters ain't much. Perhaps the person you're arguing with simply isn't able to be as nuanced as I was up above, and has to oversimplify his answers, to fit in the limited space.