Router password vs MAC filtering?

MAC filtering is not a part of the 802.11 spec, and is instead shoved into wireless routers by (most) vendors. The reason why it's not a part of the 802.11 spec is because it provides no true security (via kerckhoff's principle).

In order for wireless to work, MAC addresses are exchanged in plaintext (Regardless of whether you're using WEP, WPA, WPA2, or an OPEN AP). For encrypted wireless, the MAC address is either a part of the initial handshake (used to derive the session key), and/or exposed during pre-encryption communications. In addition to all of these reasons, MAC filtering is also much more of a pain in the butt to upkeep than instituting something like WPA2-PSK.

Simply put, MAC filtering is not something that needs to be "cracked." In open networks, people simply only need to sniff the air and they will be able to see what devices are working, and then they can use one of many, many extremely simple tools to change their MAC address. In encrypted networks, they will need to sniff and grab a new handshake (which can easily be forced via a deauth attack). From there, they have access to your network.

My suggestion is to use WPA2-PSK with a strong key for personal networks or WPA2-Enterprise with a strong EAP mode (PEAP or TLS) for enterprise networks. The main difference between the two of these, aside from the method of authentication and authorization, is that with WPA2-PSK, if someone knows the PSK and can capture the handshake of a user, they can decrypt their stream. That is not possible with WPA2-Enterprise, because it uses EAP, which has a different encryption key per individual via the EAP mode. This is important because you wouldn't want just anybody with access to the network to be able to decrypt the CEO's wireless communications.

It is also important to note that with WPA2-PSK, your ESSID does play a part in the security of your network because of the following:

DK = PBKDF2(HMAC−SHA1, passphrase, essid, 4096, 256)

Essentially, WPA2-PSK uses your ESSID as the salt when running PBKDF2. For this reason, you should also attempt to keep your ESSID unique, to avoid attacks using rainbow tables.

In summation
- MAC filtering does not provide any level of "true" security
- Use WPA2-PSK if possible (Most smartphones do support it)
- Try to have a unique ESSID

First, it does nothing to protect data on the network. Second, MAC addresses can be easily spoofed and a valid MAC address can be sniffed off of any device connected to your network. It will only keep out the most basic of intruders (ie, someone who is non-technical and simply looking for free wifi.) It offers no serious protection to simply use MAC filtering and really only offers the most basic protection possible.

Even a WEP/WPA password of 'password' is better than no password because then the traffic is encrypted.

If you have no password then your traffic, aside from SSL protected sites, is right in the open.

Your MAC address can be changed at will, and as mentioned by Steel City Hacker, can be sniffed right out of the open.

I recommend you explore your neighborhood with a Backtrack distro just to see how this stuff works.