How to Stay Safe on Public Wi-Fi (a Practical Checklist for 2026)

Mostly solved by HTTPS:

• Reading the contents of websites you browse.
• Stealing your login session cookie from a normal website.
• Sniffing your password as you log in to a real bank, email provider, or social network.

Still genuinely risky:

• Evil-twin networks. An attacker sets up a Wi-Fi access point named "Starbucks WiFi" or "Hotel Guest" with stronger signal than the legitimate one. Your phone happily joins it. Now they are in the middle of every connection you make and can serve you fake login pages or capture DNS lookups.
• Captive-portal phishing. The "click here to connect" page sometimes asks for your email and a password — and a surprising number of people enter the same password they use for their email account.
• Unencrypted traffic. Some apps, especially older ones, still send data without TLS. Less common than it used to be, still happens.
• DNS-level surveillance. Even with HTTPS, anyone watching the network can see which sites you visit (the SNI field in TLS leaks the hostname). Not the contents, but the destinations.
• Old or unpatched devices. Network-level exploits against unpatched operating systems are still real.

This is what to actually do, in order of impact:

1. Turn on a VPN before you connect to anything important. Even if HTTPS protects the contents of your traffic, a VPN hides which sites you are visiting from anyone watching the network — including the network operator. It also defeats evil-twin attacks because your traffic is encrypted to a server you trust, not to whatever access point is broadcasting nearby.

2. Forget the network when you are done. Phones and laptops automatically reconnect to "known" networks. If you connected once to a sketchy café Wi-Fi, your phone will silently reconnect every time it sees the same name in the future. Go into Wi-Fi settings, tap the network, and choose "Forget."

3. Disable Wi-Fi auto-join entirely on devices that travel. Modern phones offer a setting like "Ask to Join Networks." Turn it on. The 1-second annoyance of confirming a network is worth not silently joining a hostile one.

4. Watch for captive-portal weirdness. A real captive portal asks for an email address (sometimes), agreement to terms, or nothing at all. If it asks for a password, especially without explaining what that password is for, close the page and use mobile data instead.

5. Run a leak test before doing anything sensitive. A free IP leak test confirms your VPN is actually masking your real address and that nothing is escaping the tunnel via WebRTC.

Banking apps are usually fine on public Wi-Fi because they implement certificate pinning and refuse to connect through a fake access point. Password managers are also generally safe because they encrypt locally before any data leaves your device.

The weakest links are still the same as they have always been: re-used passwords, phishing pages that look like the real thing, and devices that have not been updated in months. A VPN does not fix any of those — it just removes the network as one of the attack surfaces.

Is hotel Wi-Fi safe?

Hotel Wi-Fi is among the worst networks you regularly connect to. Captive portals are easy to spoof, networks are shared with hundreds of strangers, and many hotel routers have not been firmware-updated in years. Always use a VPN, and prefer your phone's mobile hotspot for anything financial.

Can someone steal my password on public Wi-Fi?

If the site you log in to uses HTTPS — and almost every real site does — the password itself is encrypted. The risks are: a phishing page served by a fake access point, malware on your device, or you typing the password into a sketchy captive portal that pretends to be the network's auth page.

Does a VPN make public Wi-Fi 100% safe?

No. A VPN protects against network-level eavesdropping and most evil-twin attacks. It does not protect against malware on your device, phishing emails, or you being persuaded to enter a password into the wrong page. Treat it as one strong layer in a defense-in-depth approach.