Public Wi-Fi: When It's Fine and When to Avoid It
Almost every piece of advice on this topic is at least a decade out of date. "Never do online banking on public Wi-Fi" — that was good advice in 2012. It is no longer particularly important advice in 2026. The internet has changed underneath that warning, and what it now defends against is mostly already defended elsewhere.
Here is the honest, modern version.
What changed
In 2012, plenty of websites — even big ones — used unencrypted connections. If you logged into your bank from a coffee shop, someone on the same network could, with the right tools, see your password going past in plain text. That was a real risk.
Today, essentially every website worth visiting uses HTTPS — the little padlock icon in the browser address bar. HTTPS means the connection between your phone and the website is encrypted from end to end. The Wi-Fi network can see that you're talking to chase.com, but it cannot see what you're saying, what's being said back, your password, your account number, or your balance.
Banking apps and other major apps don't even use a browser — they use the bank's encrypted backend directly. Same protection.
So the "public Wi-Fi steals your password" scenario, the one that got drilled into all of us, is almost entirely solved at this point.
What is still a real risk
Three things, in order of how much I actually worry about them:
Fake hotspots. Someone in a coffee shop runs a hotspot from their laptop called "Free Starbucks Wi-Fi" or "Hilton Guest." You connect to it. They route your traffic through their laptop, hoping to catch something useful or redirect you to a fake login page for a service you use.
The defense: only connect to a Wi-Fi network the business has actually told you about, either with a sign on the wall, a sticker on the table, or a printed receipt. If you're not sure which network is the real one, ask. Real businesses are happy to tell you. Scammers won't have set up a sign that points to their fake one.
Pop-up sign-in pages. Some legitimate Wi-Fi networks (hotels, airports, gyms) make you click through a sign-in page first — accept terms of service, enter your room number, that sort of thing. Most are fine. A few have been compromised over the years to ask for unusual information.
The defense: never enter a password, credit card number, or social security number on a Wi-Fi sign-in page. If it asks for any of those, close the page and use cellular data instead. A real Wi-Fi page only needs to know you're a guest.
Automatic connection to remembered networks. Your phone remembers Wi-Fi networks you've connected to and automatically reconnects when one is in range. An attacker can broadcast a fake network with the same name as a familiar one ("xfinitywifi" or "attwifi") and your phone will connect automatically without asking.
The defense: in Settings → Wi-Fi → Edit (iPhone) or Settings → Network & internet → Saved Networks (Android), remove networks you don't intentionally use anymore. Old hotel networks, the airport Wi-Fi from a trip two years ago, the network at the conference you attended once. Clean them out occasionally.
What's safe to do on a coffee shop Wi-Fi
In 2026, with HTTPS everywhere, banking apps, email apps, and most other major apps work fine on public Wi-Fi. The encrypted connection protects you from anyone watching the network.
If it makes you feel better, use cellular data instead — your phone will switch automatically if you turn Wi-Fi off. Cellular is more private than even a trustworthy Wi-Fi because there's no middleman to spoof or compromise. The trade-off is that some apps use a lot of data; a 30-minute video call on cellular can chew through 500 megabytes.
For most ordinary tasks — checking email, reading the news, scrolling through photos — the Wi-Fi at a chain coffee shop or a hotel is genuinely fine in 2026.
What I personally still avoid
I won't enter a new password or set up two-factor authentication on a brand-new account while on public Wi-Fi. Not because someone on the network can intercept it (HTTPS protects against that) but because if my phone is misconfigured or my browser is showing me a fake site, I'd rather not learn that lesson in a Hilton lobby.
I also don't do tax returns or download tax documents on hotel Wi-Fi. There's no specific technical reason; it's a personal preference about where private financial work belongs. I do it at home, on my own network.
Other than that, the modern internet is genuinely fine on public networks.
VPNs — useful but probably not for you
A "VPN" is a service that encrypts everything between your phone and a remote server, so even your home internet provider can't see what websites you visit. They run $5 to $12 a month.
VPNs are useful for journalists, travelers visiting countries with strict internet controls, and people who care a lot about privacy from their internet provider. For an ordinary retiree using a phone in a coffee shop, they are mostly an unnecessary expense that adds a small amount of slowness and complexity.
If a salesman tries to sell you a VPN by warning you about public Wi-Fi, the warning is dated. The product has legitimate uses, but those uses aren't usually the ones in the advertisement.
The summary in one sentence
Connect only to Wi-Fi networks the business has actually told you about, don't enter sensitive information into pop-up sign-in pages, clean out old saved networks occasionally, and your modern phone will do the rest. The coffee is more dangerous to your day than the Wi-Fi is.
Written by David Chen. Last verified 19 June 2026.