What do you mean your “WiFi router is taken”? Do you mean physically taken or compromised via WiFi?
Randomizing your MAC address is useful when you access WiFi networks that are used by other people. It ensures that the MAC address for a given session doesn’t match any of your hardware or other sessions. It allows you to use the same WiFi again without the two sessions being associated. However, precautions should be taken so that you are not physically associated with the session (your face or car parked near the WiFi network at the time of the session).
As far as using Tor, you might consider:
-
If you absolutely must maintain privacy/anonymity, don’t use Tor from your own residence. There are ways your location can be exposed - even with Tor.
-
If you are using Tor at home and want to maximize privacy and anonymity, don’t broadcast a radio signal of your connection. Use a hard wired ethernet connection.
-
If you are connecting from home and using WiFi, you are probably more secure using a stable MAC address (doesn’t have to be the actual hardware MAC address) rather than a randomized MAC address for each session. That will allow you to configure the router to only allow your specific MAC address to connect (to mitigate local adversaries from gaining access to your WiFi network)
-
If your personal router is compromised or physically accessed and there are logs of your connections, it won’t matter if the MAC addresses are different. They will all be associated with you.
Aside from using properly configured Qubes OS and/or Tails to make your Tor connections, one of the recommended approaches to maximize privacy and anonymity is to use a WiFi network that is not associated with you or places that you frequent. And given the prevalence of facial recognition, license plate readers and other mass surveillance technologies, it’s ideal to access a given network from a distance using a yagi antennae and keeping your sessions as short as possible because even at a distance, it’s possible for an adversary to triangulate your location relatively quickly.
Finally, for maximum privacy/anonymity, the machine that you use from public WiFi would be dedicated for such use (a “burner” laptop). That means not using the same machine at your own residence or other places that are associated with you - and not accessing any personal accounts from that machine regardless of where your are connected.
Obviously those are extreme measures. I don’t know anything about your threat model. In most cases, you will be fine adopting as many measures as are practical. I’m just pointing out that no network or machine should be considered secure - regardless of how it is configured. And even if they were secure, you can still blow your cover with poor behavior. Your online habits, physical movements and other choices can be an even bigger threat than your choice of computer or operating system.