Public Wi-Fi in 2026: Actual Risks vs. Outdated Advice

Public Wi-Fi advice has been photocopied from article to article for over a decade: never check your bank account at a café, hackers can see everything you type, always use a VPN or else. Some of it was excellent advice — for 2014. Then the web quietly rebuilt itself, and the advice never got the memo. So let's grade the classics honestly, then talk about what actually deserves your caution at the airport gate.

Grading the classic advice

"Anyone on the network can read your passwords" — RETIRED

Once true, and the reason for all the fear: tools of the sslstrip era really did let a laptop two tables over capture logins wholesale. What changed is that HTTPS ate the web — encryption now covers virtually all meaningful traffic, every login and payment page included, with browsers shouting warnings on the stragglers. HSTS means major sites can't even be downgraded to unencrypted versions. The eavesdropper at the next table today captures gibberish with a side of metadata. The fear outlived the vulnerability by about a decade — and an entire VPN advertising industry was built in the gap, a story I've already told.

"Never do banking on public Wi-Fi" — RETIRED, with an asterisk

Your banking session is TLS-encrypted from your browser to the bank regardless of the network carrying it; the bank's app pins this down further. The asterisk isn't about the network at all — it's about shoulders. The genuinely effective café attack on your finances is a human watching you type a PIN. Privacy filter beats VPN, in this one venue, as a pure value-for-threat purchase.

"Use a VPN or you're exposed" — REVISED

Demoted from survival gear to situational tool. What a VPN still legitimately does on public networks: hides which sites you visit from the network's operator (the hotel, the airport, whoever actually runs that SSID — see below for why that's not nothing), and armors the small unencrypted remainder of your traffic. What it never did: stop phishing, malware, or any of the things the ads imply. Reasonable to use, wrong to rely on — the full claim-by-claim teardown is in the VPN article [link #21].

"Turn off file sharing on public networks" — STILL TRUE, now automated

The one classic that aged perfectly, because the underlying risk is real: on a shared network, your device itself is reachable by strangers' devices. Windows handles this with network profiles — and this is the single most important setting in this article: when you join any public network, Windows asks (or assumes) a profile, and Public turns off discovery, file sharing, and inbound exposure. Check it now for the network you're on: Settings → Network & internet → properties of your connection → Network profile type → Public for anything that isn't your home. The firewall rules differ enormously between profiles — it's the same mechanism that bit us from the other direction in the RDP guide, where a network wrongly marked Public blocked legitimate access. Out in the world, Public is exactly what you want.

The risks that are actually current

The network operator, and impostors. Encryption hides your content, not your destinations — whoever operates the access point sees DNS lookups and the sites you visit, and "whoever operates" is doing heavy lifting: anyone can broadcast an SSID named "Airport_Free_WiFi" from a backpack (the evil twin — alive and well, just demoted from password-stealing to metadata-collecting and mischief). This is the surviving honest use case for that VPN, and for encrypted DNS — the DoH setting I covered in the DNS article travels with you.

The captive portal con. The login page itself is the modern attack surface. A real portal wants a room number or an email and a checkbox. The fake or compromised one escalates: install our app to connect, install this certificate, "sign in with Google" on a page that is very much not Google. Two rules cover it: never install anything — app, profile, or certificate — to get Wi-Fi (a malicious root certificate is the one thing that genuinely CAN break your HTTPS protection, which is why that's the con), and treat any portal demanding real account credentials as the phishing page it probably is — the domain-reading reflexes from the phishing article [link] apply. [Personal note placeholder: the weirdest captive portal you've met — every traveler in IT has one.] Side tip from the trenches: when a legitimate portal just won't appear, browsing to neverssl.com forces it — a trick from my Wi-Fi troubleshooting guide.

Your own device's hygiene, amplified. An unpatched laptop is at modestly more risk among 200 strangers than on your home LAN — the same vulnerabilities, more potential neighbors. Nothing exotic: updates current, firewall on (the Public profile, again), done.

Juice jacking honorable mention: the malicious-USB-charging-port scare is mostly theoretical against modern phones, which ask before trusting a data connection. Tap "charge only," or carry your own brick. Fine; just not the headline risk it plays on the news.

The modern rulebook

Everything above compresses into habits that take no ongoing effort: keep the device updated; let Windows mark every strange network Public; browser hardened with HTTPS-only mode on, which converts "encryption almost everywhere" into "everywhere or ask me"; install nothing a portal requests; type credentials only on domains you've read; VPN if the operator's curiosity bothers you — or skip the question entirely for sensitive work by using your phone's hotspot, which remains the cleanest answer ever invented to "is this network trustworthy?" (it's yours; next question). The café Wi-Fi isn't the dark alley of legend anymore. It's more like a public bench: fine to sit on, just don't leave your bag open — and know that the bench was never the dangerous part. The QR sticker someone slapped on it might be.