Is it safe to use public Wi-Fi (café, hotel, airport)?

Quick answer

In 2026, public Wi-Fi is much safer than it used to be because almost every website now uses HTTPS encryption — so your bank, your email, and your apps already protect themselves regardless of the network — but it is still wise to avoid logging into anything truly sensitive from a public hotspot you cannot verify.

What it's NOT

Public Wi-Fi is NOT the catastrophic risk it was 10 or 15 years ago — the era where someone with a laptop in a café could sniff your password in plaintext is mostly over thanks to universal HTTPS. And 'I used the café Wi-Fi so I need a VPN' is NOT a general truth: a VPN adds privacy from the café and your ISP, not protection from the websites or apps you use.

More context

Public Wi-Fi is the catch-all name for any network you do not control: the café, the hotel, the airport, the conference, the friend’s house, the corporate guest network. The honest picture in 2026 is that the threat has shrunk dramatically since the mid-2010s, mostly because of one structural change: almost every legitimate site now uses HTTPS, which encrypts your traffic between your device and the site, regardless of who runs the network in between.

Concretely, what changed:

  • 2010-2015: many sites still used HTTP, passwords were sent in plaintext, “Firesheep” and similar tools made café-Wi-Fi snooping easy. The “do not log into anything on public Wi-Fi” advice of that era was correct and important.
  • 2016-2020: Let’s Encrypt launched, Chrome and Firefox started warning users about HTTP, and the industry pushed HTTPS as default. Coverage went from minority to overwhelming majority.
  • 2020-2026: HTTPS is effectively everywhere. Browsers now warn or block HTTP. The old café-sniffing attack does not work against any modern site.

What still genuinely matters on public Wi-Fi in 2026:

  1. Evil twins. Someone sets up a hotspot named the same as the real one (Starbucks_Free, Airport_WiFi, Hilton_Guest). Your device may auto-join. The attacker is then the network and can run captive-portal phishing, redirect you to fake pages, and so on. Defence: don’t auto-connect to unknown networks; verify the real SSID from the venue’s official notice, not a hand-written sign.
  2. Captive portals. The “please agree to terms / sign in to the network” page. Most are legitimate but they are a recurring channel for phishing and for over-collecting personal data. Treat them like a stranger asking for information — give a minimum.
  3. Shoulder-surfing and screen capture. The person at the next table can see your screen. This is far easier and more reliable than any network attack. Use a privacy filter on screens for truly sensitive work.
  4. Untrusted DNS. A café network can answer DNS queries with malicious responses (sending you to a fake bank instead of the real one). HTTPS catches the most obvious version of this (the certificate won’t match) but you should still avoid logging into your bank or password manager from a Wi-Fi you cannot verify.

What does not really matter anymore (despite the marketing):

  • The old “sniffing your password from the air” attack. HTTPS broke it.
  • “Hackers on the Wi-Fi can install malware on your phone just because you’re on the same network.” This was always rare; modern OS-level defences make it rarer.
  • “Anyone on the café Wi-Fi can read your email.” Not on Gmail, iCloud, Outlook.com, Proton — all HTTPS by default.

Practical 2026 reflexes:

  • Anything truly sensitive (banking, password manager master vault, work tools you would not be comfortable doing in a café) — prefer cellular tethering or wait until you’re on a network you trust.
  • Disable Wi-Fi auto-connect to networks named “Free Wi-Fi”, “Airport”, etc. On iOS: Settings → Wi-Fi → tap the network → Auto-Join off. On Android: equivalent under the saved networks list.
  • Forget hotel and conference Wi-Fi networks when you leave, so your phone does not try to reconnect to an evil twin in the same name later.
  • A VPN (see VPN) adds privacy from the venue and the ISP, not protection from the websites themselves. Useful for sensitive work in unfamiliar places, not a strict requirement.
  • HTTPS / the padlock (see entry) remains the single most important signal — and it does its job the same way on any network.

The honest summary: public Wi-Fi in 2026 is a non-issue for ordinary browsing on HTTPS sites, a small concern for captive-portal phishing and evil twins, and a real concern only if you log into something genuinely sensitive on a network you cannot verify. The threat model moved on; the advice should too.

People also ask

Can someone steal my password if I use café Wi-Fi? +

Very unlikely in 2026, if the site you log into uses HTTPS — and virtually every legitimate site does. The whole 'guy with a Wireshark in the corner' attack worked when sites still used HTTP and passwords flew through the air in plaintext. Modern HTTPS makes the same traffic look like noise. The realistic café threat is closer to shoulder-surfing (someone reading your screen) than to packet capture.

What's the 'evil twin' Wi-Fi attack? +

An attacker sets up a Wi-Fi hotspot with the same name as a real one — 'Starbucks_Free_WiFi', 'AirportWiFi', 'Hilton_Guest' — sometimes with stronger signal than the real one. Your phone or laptop, having connected to that name before, joins automatically. From there, the attacker is the network and can present a fake login page ('please re-enter your hotel-room number') or try to push you to non-HTTPS pages. Defence: do not auto-connect to open networks, look at the real network name on the hotel's official notice, and treat any 'please log in again' page with suspicion.

Should I use a VPN on café or hotel Wi-Fi? +

Useful but not essential. A VPN hides from the café and from your ISP which sites you visited. It does not add protection over what HTTPS already gives you. If you are on a hotel Wi-Fi in a country with deep network monitoring, or you want privacy from the venue itself, a VPN is reasonable. For ordinary café Wi-Fi in 2026, the practical benefit is modest.

Is my phone's cellular connection safer than Wi-Fi? +

Generally yes. Cellular networks (4G / 5G) are encrypted between your phone and the tower, the carrier is at least subject to telecom regulation, and the attack surface is much smaller than 'whoever runs this Wi-Fi hotspot'. If you have data on your plan and battery to spare, tethering from your phone is a safer default than connecting to an unknown public Wi-Fi for anything sensitive.

What about hotel ethernet or work-network 'guest Wi-Fi'? +

Slightly safer than fully open café Wi-Fi (someone has a contractual relationship with the venue), but the same principles apply. The most overlooked risk on hotel networks is captive portals — the 'agree to terms' page — that occasionally double as phishing or that ask for more personal data than they should. Provide a throwaway email if asked, and never enter a credit card or loyalty-program password on a captive portal you reached by joining the Wi-Fi.

Also explained

What is a VPN, and do I actually need one?

A VPN is a privacy tool that hides your internet activity from your local network (your office, the café Wi-Fi, your ISP) and from websites — but it does NOT make you anonymous, and for most people in 2026 it is far less essential than the ads suggest.

What does the padlock in my browser actually mean?

The padlock means the connection between your device and the website is encrypted, so nobody on your Wi-Fi, your office network or your internet provider can read what you send or receive — but it does NOT mean the website itself is honest, legitimate, or safe to trust with your data.

How do I secure my home Wi-Fi router?

Five steps cover almost all real risk: change the default admin password on the router (not just the Wi-Fi password), use WPA3 or WPA2 with a strong passphrase, turn off WPS and remote admin from the internet, keep the router firmware updated, and set up a separate guest Wi-Fi for visitors and smart-home devices.
← Back to everyday cybersecurity