For years, every article about public Wi-Fi opened with the same warning. A hacker at the next table could see your passwords, read your emails, and drain your bank account. That picture was overstated then and is mostly out of date now. The internet has changed underneath the advice. The real risks of free Wi-Fi in 2026 are different, narrower, and worth understanding clearly so you spend your caution on the right things.
What Changed Since the Old Warnings
Almost every site you care about now uses HTTPS by default. That little padlock means the traffic between your device and the server is encrypted end to end. Even on a hostile Wi-Fi network, someone sitting nearby cannot read the contents of your traffic. They cannot see your passwords as you type them, they cannot read your email, and they cannot pull your bank balance out of the air.
This single change knocked down the most dramatic part of the old story. The classic “Wi-Fi sniffing” attack against an HTTPS site does not work. The cryptography behind modern web traffic is not the weak link.
What Is Still Risky
That does not mean public Wi-Fi is harmless. The risks have moved into a smaller set of categories that are still worth taking seriously.
Fake Networks
The most common modern attack on public Wi-Fi is not eavesdropping. It is impersonation. An attacker sets up a Wi-Fi network with a name like “Airport_Free_WiFi” or “Starbucks Guest” and waits for people to connect. Once you are on their network, they control the route between your device and the internet. They cannot break HTTPS, but they can do other useful things, such as serving fake login pages, redirecting downloads, or pushing prompts to install apps.
The defense is simple. Pay attention to the network name. If you are not sure which network is the real one, ask staff or check posted signage. Treat networks with slightly off names with suspicion. “Airport Wi-Fi” and “Airport-WiFi” are not the same thing.
Captive Portals
The login page that pops up when you join a coffee shop network is called a captive portal. It often asks for an email address before letting you onto the internet. That address goes into the venue’s marketing system or, sometimes, gets resold to advertising partners.
This is not a security risk in the traditional sense. It is a privacy and spam risk. A temporary email is the right tool here. The captive portal needs a working address to send the confirmation link to. After you click the link and the network lets you through, the address can expire and your real inbox stays clean.
Non-HTTPS Connections
The few remaining services that still use plain HTTP, including some older email setups and some legacy hardware admin pages, do expose data on hostile networks. This category has shrunk dramatically, but it has not vanished. If your work environment still uses any internal portal that is HTTP-only, do not use it over public Wi-Fi.
Outdated Devices
An old laptop or phone that has not received security updates in years is more exposed on any network it joins, public or not. Attackers on the same Wi-Fi can probe for known vulnerabilities in older operating systems. Keep your devices updated. If a device cannot get current security patches, do not take it onto public networks for anything sensitive.
Shoulder Surfing
This one is unglamorous and effective. The person two seats over can see your screen. They can read what you type. Cafés and airports are full of people pretending to look at their own phones while glancing at yours. A privacy filter on your laptop screen costs less than a meal and removes most of this risk.
The VPN Question
Should you use a VPN on public Wi-Fi? The honest answer is: probably, but for clearer reasons than the marketing suggests.
A VPN tunnels all of your traffic through an encrypted connection to a server you choose. On a hostile network, this means the local attacker sees only encrypted traffic to your VPN provider, and nothing about which sites you are visiting or what you are doing on them. That is genuinely useful protection against the impersonation and DNS games that fake networks try to play.
What a VPN does not do is make you anonymous. The VPN provider knows everything the local network would have known. Pick a provider you trust, ideally one with a transparent no-logs policy and a clean audit history, rather than the loudest sponsor of the week.
A Practical Public Wi-Fi Routine
Most of the risk on public networks comes down to a handful of habits.
- Verify the network name with staff. If a venue has free Wi-Fi, there is usually a posted name. Use only that one.
- Use a temporary email for captive portals. Avoid handing your real address to the venue’s marketing platform.
- Turn off auto-join for open networks. Phones will silently connect to known network names elsewhere, including ones an attacker has named identically. Disable this for any network you do not explicitly trust.
- Use HTTPS-only mode in your browser. Modern browsers can refuse to load any page that is not encrypted, with a warning. Turn it on.
- Run a VPN for general traffic. Especially if you travel a lot or work from cafés often.
- Disable file sharing and AirDrop in public mode. Both can be probed by other devices on the same network.
- Save sensitive logins for trusted networks. Even with HTTPS, there is no downside to waiting until you are home for tasks like changing passwords or filing taxes.
The Hotel and Airbnb Variant
Hotel networks deserve a small mention. They are not very different from café networks in principle, but they often expose internal admin interfaces of cheap routers and smart TVs on the same local subnet as your laptop. The same advice applies, with one addition: do not assume the room’s smart TV is friendly. Avoid signing into personal streaming accounts on hotel TVs unless the hotel offers a clear sign-out option for the TV itself. The previous guest who logged in and forgot is a story you do not want to repeat.
What You Do Not Need to Worry About
For balance, here is what is no longer a meaningful risk on public Wi-Fi:
- Someone reading your passwords as you log into a normal modern website
- Someone reading your email through the browser interface of any current email provider
- Someone seeing the contents of your bank dashboard
All of these are protected by HTTPS, which the attacker cannot break. The story has moved on. Use that knowledge to focus on the parts of the threat that are still real.
The Quiet Default
Public Wi-Fi is part of normal life. You will use it dozens of times this year. The right mindset is not fear but a quiet default routine: confirm the network, use a temporary email for the sign-in portal, keep your devices updated, run a VPN, and let HTTPS do the heavy lifting. Once those habits are in place, you can stop thinking about the network and get back to the coffee.