TheTest.com

Staying Safe on Public WiFi

How to protect yourself when using public or shared WiFi networks at hotels, airports, and cafes

Public WiFi at hotels, airports, cafes, and coworking spaces is convenient but comes with real risks. Anyone on the same network can potentially see your traffic, and fake networks can trick you into connecting to an attacker's access point instead of the real one.

The good news is that a few simple habits eliminate most of the risk. Here is what to know and what to do.

What makes public WiFi risky

Public networks are shared — dozens or hundreds of strangers are on the same network. This creates a few specific threats:

  • Packet sniffing — on an open (unencrypted) network, anyone with free software can capture traffic from other devices on the same network. If you visit a site over plain HTTP (no HTTPS), they can see everything: URLs, form data, login credentials
  • Evil twin attacks — an attacker sets up a WiFi hotspot with a name like "Hotel_WiFi_Free" that looks like the real network. When you connect, all your traffic routes through their device. They can see everything and even modify pages you load
  • Man-in-the-middle (MITM) — an attacker positions themselves between you and the router, intercepting and potentially altering traffic. On networks without proper isolation, this is easier than it sounds
  • Rogue captive portals — the fake login page you see when joining a network could itself be malicious, designed to harvest credentials or trick you into downloading something

For businesses, this is especially relevant for traveling employees who routinely connect at hotels, airports, and client offices.

How to stay safe

  1. Use a VPN — this is the single most effective step. A VPN encrypts all traffic between your device and the VPN server, making it unreadable to anyone on the local network. Turn it on before you start browsing. If your company provides a VPN, use it. For personal use, see our VPN basics guide for how VPNs work and how to set one up
  2. Verify the network name — before connecting, ask staff for the exact WiFi name and password. Do not just connect to the strongest open signal — that could be an evil twin. If there are two similar names (e.g., "Marriott_WiFi" and "Marriott_WiFi_Guest"), confirm which one is real
  3. Check for HTTPS — look for the lock icon in your browser's address bar before entering any credentials or sensitive information. HTTPS encrypts the connection between your browser and the website. Most major sites use HTTPS by default now, but not all do
  4. Avoid sensitive transactions — do not log into banking, make purchases, or access sensitive work systems on public WiFi without a VPN. If you must, use your phone's mobile data or hotspot instead
  5. Turn off auto-connect — disable the setting that automatically joins known or open networks. You want to deliberately choose which network to join every time
  6. Forget the network when you leave — after disconnecting, go to your WiFi settings and forget the network. This prevents your device from automatically reconnecting next time you are nearby, and from broadcasting the network name as a preferred network (which can be used for tracking)
  7. Disable file sharing and AirDrop — on a public network, turn off any file sharing, AirDrop (Mac/iOS), or Nearby Share (Android/Windows) to prevent unauthorized file transfers or device discovery
  8. Use your phone as a hotspot instead — if you have a decent mobile data plan, tethering through your phone's hotspot is significantly safer than public WiFi. You control the network, and the traffic goes over your carrier's cellular connection, which is much harder to intercept

short

  1. Use a VPN before doing anything on public WiFi — it encrypts all your traffic
  2. Verify the exact WiFi network name with staff, check for HTTPS, and avoid banking or sensitive logins without a VPN
  3. Forget the network when you leave and use your phone's hotspot as a safer alternative

Captive portals explained

A captive portal is the login or terms page that appears when you first join a hotel or airport network. It intercepts your web traffic and redirects you to a page where you accept terms, enter a room number, or pay for access.

Captive portals are normal infrastructure, but worth understanding:

  • They work by hijacking your first HTTP request, which is why HTTPS-only sites sometimes will not load until you complete the portal. Your device usually detects this and shows a notification to sign in
  • Only enter the minimum information required. If a portal asks for an email, a throwaway address is fine. If it asks for payment information, make sure the URL shows HTTPS and the domain looks legitimate
  • A captive portal is not a VPN and does not encrypt your traffic. After you pass through it, you are still on a shared network with the same risks as before

What HTTPS does and does not protect

HTTPS encrypts the connection between your browser and the specific website you are visiting. This means:

  • Protected: the content of pages you visit, form data you submit, login credentials you type on that site
  • Not protected: which websites you visit (the domain names are visible via DNS queries), the fact that you are online, your device's presence on the network, and traffic from non-browser apps that may not use HTTPS

HTTPS is essential, but it is not a substitute for a VPN on public networks. A VPN covers everything — all apps, all traffic, including DNS queries.

Frequently Asked Questions

Is hotel WiFi safe?

Not inherently. Hotel WiFi is a shared network, and even password-protected hotel networks share that password with every guest. The password prevents outsiders from joining but does not protect you from other guests on the same network. Use a VPN whenever you are on hotel WiFi, especially for work or anything involving credentials.

Does HTTPS protect me on public WiFi?

Partially. HTTPS encrypts the content of your connection to a specific website, so someone sniffing the network cannot read your passwords or form data on that site. But HTTPS does not hide which sites you visit (DNS queries are typically unencrypted), does not protect non-browser apps, and does not help if you land on a malicious site that mimics a real one. A VPN provides the comprehensive protection that HTTPS alone cannot.

Can someone hack my phone on public WiFi?

It is unlikely that someone will "hack into" your phone just by being on the same WiFi network — modern phones have decent security. The real risk is interception: seeing your unencrypted traffic, stealing session cookies, or tricking you into connecting to a fake network. A VPN and sticking to HTTPS sites eliminates nearly all of this risk.

Should I use a free VPN?

Be cautious with free VPNs. Some monetize by logging and selling your browsing data, which defeats the purpose entirely. Others inject ads or have slow speeds that make them impractical. If your employer provides a VPN, use that. For personal use, a reputable paid VPN service is worth the few dollars per month. See our VPN basics guide for recommendations.

Is mobile data safer than public WiFi?

Yes, significantly. Cellular data is encrypted between your device and the cell tower, and an attacker would need specialized equipment to intercept it — far harder than sniffing WiFi traffic with a laptop. If you have the option, using your phone's hotspot is almost always safer than connecting to public WiFi.