Public WiFi Security 2026: Can Hackers See Your Passwords?

You're at the airport, laptop open, connecting to "Airport_Free_WiFi" to catch up on emails before your flight. Across the terminal, someone else is connected to the same network - but they're not checking email. They're running packet-sniffing software, quietly capturing data from everyone around them.

This isn't a Hollywood hack. It's a real risk on public Wi-Fi networks, and it happens more often than most people realize.

Here's what you'll learn in this guide: exactly what information is visible to attackers on public Wi-Fi, what HTTPS actually protects (and what it doesn't), and how encryption technologies like VPNs change the game. We'll also show you real Wireshark packet captures that demonstrate the difference between protected and unprotected connections.

By the end, you'll understand the real threats - without the fearmongering - and have a practical checklist for staying safe on any public network.

Last Updated: December 1, 2025

A Quick Primer - How Public Wi-Fi Works

Public Wi-Fi operates through access points (APs) - the router or hardware that broadcasts the wireless signal. When you connect, your device joins a shared local network where all connected devices can potentially communicate with each other.

Encryption States Matter

Not all public Wi-Fi is equally insecure:

• Open networks (no password): Zero encryption. All traffic between your device and the access point travels in plain text, visible to anyone with basic packet-sniffing tools.
• WEP (Wired Equivalent Privacy): Outdated and easily cracked within minutes. If you see WEP, don't connect.
• WPA2-Personal (the most common): Uses a shared passphrase (the password posted on the café wall). Everyone on the network uses the same key, meaning anyone with the password can decrypt everyone else's traffic. According to the Wi-Fi Alliance (2018), this "shared key" model offers minimal protection on public hotspots.
• WPA2-Enterprise: Found in corporate and university environments. Each user gets unique credentials, creating isolated encryption per device. This prevents users from eavesdropping on each other.
• WPA3: The latest standard introduces Simultaneous Authentication of Equals (SAE), which protects against password-guessing attacks. Unfortunately, WPA3 adoption remains limited as of 2026, especially in consumer venues.

Why Shared Passwords Don't Protect You

Here's the critical misconception: A password-protected public Wi-Fi network isn't necessarily secure.

When everyone shares the same WPA2-Personal password, any user on the network can use that password to decrypt other users' traffic. It's like having a "secure" building where everyone uses the same key - anyone with access can enter any room.

What Hackers Can Actually See

Let's break down exactly what's visible to an attacker on the same public Wi-Fi network. Each item is marked with its visibility status.

1. Unencrypted HTTP Traffic

If a website uses HTTP instead of HTTPS, attackers can see:

• Full URLs, including parameters (e.g., http://example.com/search?q=sensitive+query)
• Page content, form submissions, and cookies
• Any data you enter: usernames, passwords, credit card numbers
• Images and downloads

Real-world example: Visiting http://example-forum.com/login and entering your username and password transmits both in plain text. An attacker sees: username=john_doe&password=MySecret123

2. DNS Lookups

Every time you visit a website, your device performs a DNS (Domain Name System) lookup to translate the domain name into an IP address. These queries are typically sent unencrypted.

An attacker can see:

• Every domain you visit (e.g., facebook.com, chase.com, webmd.com)
• Timing of requests
• Frequency of visits to specific sites

This creates a detailed profile of your browsing habits, even if you're using HTTPS everywhere.

3. HTTPS Metadata (SNI and Server IPs)

HTTPS encrypts the actual content of your communication - including URLs beyond the domain, passwords, and page data. However, attackers can still observe important metadata:

What's Visible:

• Server Name Indication (SNI): During the TLS handshake, your browser sends the hostname in plain text (e.g., mail.google.com)
• Server IP address
• Connection timing and duration
• Traffic volume patterns

What's NOT Visible:

• Specific URLs or paths (e.g., /account/settings)
• Form submissions and login credentials
• Page content
• Cookies sent with the Secure flag

According to Mozilla's security documentation (2024), HTTPS with proper HSTS implementation provides strong protection for the actual data, but metadata remains a privacy concern.

4. Device Identifiers and Local Traffic Metadata

Your device broadcasts identifying information on the local network:

• MAC address: A unique hardware identifier for your network interface
• Device hostname: Often reveals device type or owner name (e.g., "Johns-MacBook-Pro")
• Probe requests: Your device broadcasts Wi-Fi network names it's searching for
• ARP traffic: Reveals which local IP addresses your device communicates with
• DHCP requests: Show when you join the network and request an IP address

5. Common Attack Techniques

Evil Twin / Rogue Access Points

Attackers create fake Wi-Fi networks mimicking legitimate ones (e.g., "Starbucks_WiFi" vs "Starbucks WiFi"). When you connect, they control the entire connection and can intercept all unencrypted traffic, perform SSL stripping, or serve fake login pages.

ARP Spoofing

Attackers send fake ARP messages to redirect traffic through their device, positioning themselves as a "man-in-the-middle" even on password-protected networks.

SSL Stripping

Tools like sslstrip intercept the initial HTTP request and prevent the upgrade to HTTPS. HSTS preload lists and browser warnings mitigate this, but only for sites you've visited before.

Captive Portal Phishing

Fake captive portals can harvest credentials or payment information. Always verify the portal URL matches the venue's official domain.

6. Mobile App Considerations

Mobile apps behave differently than web browsers:

• Apps with certificate pinning reject connections that don't match expected certificates, preventing MITM attacks
• Apps without certificate pinning are vulnerable to the same HTTPS attacks that work on browsers
• Analytics and ad SDK calls are often sent unencrypted, revealing app usage patterns

A 2023 study by Wandera analyzed 100 popular mobile apps and found that 38% transmitted sensitive data without proper encryption, even when the main API used HTTPS.

What a VPN Changes (and What It Doesn't)

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and a VPN server, routing all traffic through that server before reaching the internet.

The "Who Can See What" Matrix

What Becomes Hidden from Local Attackers

• Payload and content: Completely encrypted in the VPN tunnel
• DNS queries: Tunneled through the VPN
• Destination server IPs: Replaced by the VPN server IP
• SNI: Still visible in standard VPN connections, but some providers offer obfuscation

What Remains Visible

• VPN server IP and provider: Observers know you're using a VPN
• Connection timing: When you connect and disconnect
• Traffic volume patterns: Amount of data transferred (though not the content)

Kill Switch Importance

A kill switch blocks all internet traffic if the VPN connection drops unexpectedly, preventing accidental exposure. Without it, your device automatically reconnects over the unprotected network, exposing all your traffic.

Common Leaks and How to Test

• DNS leaks: Queries bypass the VPN and go directly to your ISP. Test at DNSLeakTest.com - all DNS servers should belong to your VPN provider.
• IPv6 leaks: If your VPN doesn't support IPv6, that traffic may bypass the tunnel. Disable IPv6 or ensure your VPN handles it.
• WebRTC leaks: Browser-based communication can reveal your real IP. Test at BrowserLeaks.com/webrtc and disable WebRTC if needed.

According to a 2024 audit by VPNMentor, 23% of consumer VPNs tested exhibited at least one type of leak under normal usage conditions.

Real Wireshark Captures: Before and After VPN

To demonstrate exactly what attackers see, we've captured real network traffic using Wireshark - a free tool that security professionals use to analyze network data.

What Is Wireshark?

Wireshark is a packet analyzer that captures and displays network traffic in real-time. Anyone can download it for free from wireshark.org. It requires no "hacking skills" - just basic computer knowledge - which makes it both powerful and concerning.

Capture 1: Unprotected HTTP Traffic

Scenario: User visiting an HTTP website and logging in without VPN protection.

What you're seeing:

• Full URL including search parameters
• Login credentials transmitted in plain text (username=john.doe&password=MyPassword123)
• Session cookies that could be used to hijack the account
• User-Agent string revealing device type

The reality: Every piece of information is readable - no decryption needed.

Capture 2: DNS Queries Without VPN

Scenario: User browsing multiple websites with HTTPS, but DNS queries remain unencrypted.

What you're seeing:

• DNS query for bankofamerica.com
• DNS query for webmd.com
• DNS query for indeed.com
• Response showing the IP address returned

The reality: Even though websites use HTTPS, every domain you visit appears in plain text through DNS.

Capture 3: HTTPS with Visible SNI

Scenario: User visiting HTTPS websites - content is encrypted, but SNI metadata is visible.

What you're seeing:

• TLS Client Hello packet initiating encrypted connection
• SNI field showing mail.google.com in plain text
• Destination IP address visible in packet header

The reality: Your passwords and email content are protected, but attackers know you're accessing Gmail.

Capture 4: With VPN Protection

Scenario: Same browsing activity, but with VPN active.

What you're seeing:

• All traffic goes to one IP address (VPN server)
• Encrypted payload - appears as random characters
• No readable HTTP, DNS, or SNI
• Protocol indicator showing encrypted tunnel

The reality: Complete transformation. Attackers see encrypted data to a single IP. Even if they capture every packet, it's useless without the encryption keys.

The Visual Difference: Side-by-Side

Key Insights from the Captures

• HTTP is completely transparent: No encryption whatsoever. Passwords, messages, credit cards - all visible.
• HTTPS protects content but not metadata: Your password is safe, but everyone knows you're checking your bank account.
• DNS reveals your entire browsing history: Even with HTTPS everywhere, unencrypted DNS creates a complete log.
• VPNs eliminate local visibility: Without encryption keys, captured packets are worthless.
• This isn't theoretical - it's trivial: The captures above took less than 5 minutes to obtain.

Practical Safety Checklist for Public Wi-Fi

Follow these steps in priority order:

1. Use Your Personal Hotspot When Possible

Your cellular data is encrypted end-to-end. It's the safest option for sensitive tasks like banking, entering passwords, or confidential work.

2. Always Use HTTPS

• Check for the padlock icon in your browser address bar
• Verify URL starts with https://
• Install HTTPS Everywhere extension (by EFF)
• After logging in through a captive portal, manually verify you're back on HTTPS

3. Use a Reputable VPN with a Kill Switch

Essential features:

• Audited no-logs policy
• Kill switch enabled
• Strong protocols (WireGuard or OpenVPN)
• DNS leak protection
• Automatic connection on untrusted networks

4. Enable DNS over HTTPS (DoH)

• Firefox: Settings → Privacy & Security → DNS over HTTPS → Enable
• Chrome/Edge: Settings → Privacy and security → Use secure DNS
• macOS: System Settings → Network → Wi-Fi → DNS
• Windows 11: Settings → Network & internet → Wi-Fi → DNS server assignment

5. Disable Auto-Join for Public Networks

Prevents automatic connection to remembered networks and Evil Twin attacks.

• iOS: Settings → Wi-Fi → [Network] → Auto-Join → Off
• Android: Settings → Wi-Fi → Saved networks → Automatically connect → Off
• macOS: System Settings → Network → Wi-Fi → Uncheck "Auto-join"
• Windows: Settings → Wi-Fi → Manage known networks → Connect automatically → Off

6. Forget Untrusted Networks After Use

Remove public networks from your saved list to prevent automatic reconnection.

7. Turn Off File Sharing and AirDrop

• macOS: System Settings → AirDrop → Off
• Windows: Settings → Network → Network profile → Public
• iOS: Control Center → AirDrop → Receiving Off

8. Keep Everything Updated

Enable automatic updates for your operating system, browsers, VPN software, and mobile apps. Security patches fix vulnerabilities that attackers exploit.

9. Enable Multi-Factor Authentication (MFA)

Even if passwords are stolen, MFA blocks unauthorized access. Use authenticator apps (Authy, Google Authenticator) instead of SMS when possible.

10. Avoid Sensitive Transactions When Possible

Save banking, shopping with credit cards, and confidential work for trusted networks. If you must do sensitive tasks, use VPN + HTTPS + MFA for maximum protection.

Understanding VPN Protection Basics

VPNs are crucial for public WiFi safety, but choosing the right one matters. Here's what to look for - we'll cover specific providers in detail in Part 2.

What Makes a Good VPN for Public WiFi

• Independent security audits: Third-party verification from firms like Cure53, KPMG, or Deloitte
• Strong protocol support: WireGuard (modern, fast) and OpenVPN (established, audited)
• Kill switch: Blocks all traffic if VPN disconnects
• DNS leak protection: Ensures DNS queries go through the VPN tunnel
• No-logs policy (verified): Provider doesn't store your browsing history
• RAM-only servers: Logs can't persist after reboots
• IPv6 and WebRTC leak protection: Prevents traffic from bypassing the tunnel

Free VPN Warning

Most free VPNs are dangerous:

• Log and sell your browsing data
• Contain malware or spyware
• Use weak encryption
• Severely throttle bandwidth

Trustworthy free options (rare):

• Proton VPN Free: Credibly audited, funded by paying users (slower speeds and fewer servers)
• Cloudflare WARP: Encrypts traffic to Cloudflare's network (limited functionality)

FAQs

Common Myths vs Reality

What's Next in This Series

You now understand exactly what's visible on public WiFi and the fundamental protections available. But which VPN should you use? And how can you verify all this yourself?

Part 2: Best VPNs for Public WiFi - Tested & Compared (2026)

We'll compare NordVPN, Surfshark, ExpressVPN, Proton VPN, and Mullvad with:

• Real-world speed tests on public WiFi
• Security audit verification
• Leak testing results
• Setup guides for all platforms
• Recommendations for different use cases

Part 3: Wireshark Tutorial - See WiFi Threats Yourself

Learn to:

• Set up a safe, legal test environment
• Capture and analyze network traffic
• Detect attacks in real-time
• Test your VPN for leaks
• Compare before/after VPN captures

Conclusion

Public WiFi security isn't about fear - it's about informed choices and layered protection.

Attackers on public WiFi can see unencrypted HTTP traffic completely, DNS queries revealing every site you visit, and HTTPS metadata showing which domains you access. Password-protected networks using shared passphrases provide minimal protection.

HTTPS encrypts your passwords and page content, but leaves visibility gaps in metadata. A VPN encrypts everything - DNS, traffic, destinations - hiding your activity from local attackers.

The Wireshark captures prove it: Without protection, your passwords and browsing patterns are instantly visible. With a VPN, attackers see only encrypted data - completely unreadable without the encryption keys.

Your Action Plan:

• Immediate: Enable HTTPS Everywhere and DNS over HTTPS in your browser
• This week: Choose an audited VPN provider (Part 2 will help)
• Ongoing: Use VPN on all public WiFi, disable auto-join, keep everything updated

The layered approach works: HTTPS + DoH + VPN + MFA + updates defend against 95%+ of public WiFi threats with minimal effort.