How to Use Public Wi-Fi Safely — 5 Rules for Cafes, Airports, and Hotels
Why Public Wi-Fi Is Riskier Than You Think
Free Wi-Fi is everywhere — cafes, airports, hotels, trains. It saves data and feels frictionless, but public networks are one of the easiest places for attackers to snoop on your activity. Two techniques do most of the damage:
- Man-in-the-middle (MITM) attacks: An attacker sits between you and the server you're talking to, quietly intercepting or modifying traffic. Anything not protected by HTTPS can be read in near-plaintext.
- Evil twin access points: A laptop running the right software can broadcast an SSID that looks identical to the legitimate one ("Starbucks Free WiFi"). Phones that remember similar networks will connect automatically.
Even password-protected hotspots aren't safe from other users on the same network. If you're going to use public Wi-Fi — and most of us do — five habits dramatically reduce the risk.
Rule 1 — Watch the Padlock and HTTPS
HTTPS encrypts the channel between your browser and the site you're visiting. Look for the padlock icon and a https:// URL before entering a password, card number, or anything sensitive. If the browser warns that a certificate is invalid, stop immediately. On a public network that warning is almost always an attack, not a misconfigured site.
Rule 2 — Turn Off Auto-Join for Networks You Don't Control
Phones reconnect to previously joined Wi-Fi automatically. Attackers exploit this by broadcasting common names (e.g., attwifi, xfinitywifi) so nearby devices connect without the user noticing.
- iPhone: Settings → Wi-Fi → tap (i) next to a network → toggle off Auto-Join.
- Android: Settings → Network & Internet → Internet → Saved networks → remove networks you rarely use.
Prune your saved network list every few months.
Rule 3 — Use a VPN for Sensitive Work
A VPN wraps all of your device's traffic in an encrypted tunnel to a remote server. Anyone sniffing the local Wi-Fi sees noise instead of your data.
- What to look for: a strict no-logs policy, independent audits, jurisdiction in a privacy-friendly country. Established names include Mullvad, Proton VPN, and ExpressVPN.
- Avoid unknown "free" VPNs. Several have been caught selling user traffic; a dodgy VPN is worse than no VPN.
- You don't have to leave it on 24/7 — at minimum, flip it on when banking or logging into work tools over public Wi-Fi.
Rule 4 — Switch to Cellular for Money and Logins
Your carrier's 4G/5G link is far harder to tamper with than a cafe hotspot. For a handful of sensitive tasks, the data usage is trivial. Use cellular (or tether your laptop to your phone's personal hotspot) for:
- Online banking and brokerage apps
- Adding or editing payment methods
- Authentication flows, 2FA setup, password resets
- Work email and cloud storage sign-ins
Personal hotspots are encrypted end-to-end with just your device, so it's the safer "public" option.
Rule 5 — Two-Factor Authentication Everywhere
If a password does leak, 2FA stops an attacker from walking into the account. Use an authenticator app (Authy, Google Authenticator, Microsoft Authenticator) rather than SMS codes where possible — SIM-swap attacks make SMS the weakest form of 2FA. Combine that with unique passwords per service (a password manager handles this for you) and your exposure drops dramatically.
Extra Habits
- File sharing: Turn off AirDrop "Everyone" and Windows network sharing on public networks.
- Sign out: On hotel lobby PCs or shared workstations, always log out and prefer private/InPrivate browser windows.
- Trust your gut: If a familiar cafe suddenly has an open SSID where it used to be protected — or a slightly different spelling — skip it.
You don't need to avoid public Wi-Fi entirely. Reading news, streaming, and navigation are fine. The danger is concentrated in anything involving a login or money. Keep these five rules in your daily muscle memory and you'll get the convenience of free Wi-Fi without the side order of account theft.