How Hackers Steal Passwords on Public Wi-Fi
You've heard the warning your whole life: don't do anything important on public Wi-Fi, because someone nearby could be pulling your passwords straight out of the air. That used to be exactly true. It mostly isn't anymore — and the reason it stopped being true is the reason the real attack got so much quieter. This video follows Sam, working from a coffee shop, and Kim, a penetration tester the café actually hired to test its network. Years ago Kim could have opened Wireshark, watched the traffic float past, and read Sam's password as plain text. Today almost every real site runs HTTPS, so the same capture arrives as unreadable noise. So we walk through what a 2026 attacker does instead, one step at a time. First the reconnaissance: encryption hides the contents of your traffic but not its shape, and the DNS lookups leaking off an open network name every site your phone reaches — a profile, not a password. Then the pivot that matters — Kim stops listening and becomes the network, standing up a rogue access point with the café's exact name and a stronger signal, because a phone recognizes a network only by its name and reconnects on its own. From there: the KARMA problem of remembered names that sit on millions of phones, the captive portal — that "sign in to continue" page we've been trained to accept — asking Sam to type his real password into a page Kim wrote, the narrower but real world of SSL stripping and lookalike domains, and finally how a stolen password or session cookie gets spent that night from home, where nothing looks out of place because by every check the system runs, it was Sam. We close on the two defenses that actually change the outcome: a VPN that turns a rogue access point into a tunnel it can't read, and passkeys, which have no password to phish and refuse to sign in on a domain that isn't the real one. Like every video on this channel, this shows how the attack is built, not how to run it. The point is to understand the weakness, not hand it over. public Wi-Fi security · why HTTPS changed password sniffing · evil twin / rogue access point attacks · the KARMA attack and remembered network names · captive portal phishing with Wifiphisher · SSL stripping (sslstrip) and its shrinking surface · session cookie reuse and account takeover · how VPNs and passkeys actually stop it. ⚠️ Educational, defensive security. Nothing here is a usable exploit. CHAPTERS 0:00 The warning you half-remember 1:00 What the air still gives away 1:50 Becoming the network (evil twin) 2:56 When your phone volunteers (KARMA) 3:45 The page that asks nicely 4:38 Stripping the padlock 5:43 Spent somewhere else 6:20 The name was never proof

She Called Bruce Lee a Fake in Front of 4,000 People—Seconds Later, Everyone Regretted It

Wi-Fi Hacking Basics: Networking 101 For Ethical Hackers

How to Stop Cops From Using Wi-Fi to "See Through the Walls" of Your Home

The Dark Web EXPOSED (FREE + Open-Source Tool)

3 Levels of WiFi Hacking

20 Secret Hacking Gadgets on Amazon That Are 100% Legal

Password Complexity is a Lie – Here’s What Actually Keeps You Safe

How HACKERS Bypass BIOS Password

You can’t trust task manager… how malware hides (3 ways)

I Made an Antivirus That Secretly Attacks Scammers

How Hackers Steal Your Phone Number

How to Track the People Tracking YOU

STOP using a VPN for Security! (here's why)

Hacker Warns: Millions Are Being Watched Right Now (Check These Devices ASAP)

How To Access the DARK WEB in 2024 (3 Levels)

How The FBI Finds Your REAL IP Address

How easy is it to steal $10,000 from a locked phone?

How Your Phone is Tracked in 2026 – And How to Stop It

How to hack IP Cameras (Ethically) and learn IoT hacking

